Recently, a new malware called Necro infected 11 million Android devices by getting into apps on Google Play. This malware hid inside popular apps and used tricks to take control of users’ devices. It caused big problems for people who downloaded affected apps. Here is what we know about Necro and how it spreads.
What is Necro?
Necro is a type of malware. Malware is bad software that can harm your device. It can steal information, show unwanted ads, or even take control of the device. This specific malware is known as a “loader.” A loader gets into devices and helps other harmful programs, called payloads, start running.
How Does Necro Spread?
Necro spreads in different ways. Many users found it in apps from Google Play. Some of these apps looked safe but had hidden malware inside them.
Malicious SDKs
The warning first came from Kaspersky, a well-known security company. They found that Necro used something called SDKs, or Software Development Kits. These kits help developers create apps. However, attackers used malicious SDKs to put Necro into safe-looking apps. This includes apps for photo editing and web browsing.
Infected Apps
Two main apps carried Necro. The first was Wuta Camera. This app is for photo editing and had over 10 million downloads. The malware entered version 6.3.2.148 and stayed in later versions until Kaspersky notified Google. The trojan was removed in version 6.3.7.138. Even after the removal, devices that had older versions might still have infections.
The second app was Max Browser. This web browser had around 1 million downloads. Kaspersky found Necro in its latest version, 1.2.0. Google removed this app quickly after learning about the problem.
What Does Necro Do?
After getting into a device, Necro activates harmful plugins. These plugins can perform different bad actions. Here are some harmful activities caused by Necro:
Adware
One of the first things Necro does is load ads. It shows these ads using hidden windows. Users see ads, but they do not know where they come from. This is known as adware. The more users click, the more money the attackers make.
Downloading Bad Programs
Necro also downloads and runs other harmful files. These can be different types of malware. Sometimes, it executes JavaScript and DEX files to cause more trouble.
Subscription Fraud
Some parts of Necro help attackers conduct subscription fraud. This means they trick people into paying for services they never wanted. A specific plugin called the Happy SDK enables this kind of fraud. It steals money from users without their knowledge.
Proxy Use
Infected devices can also be used as proxies. This means attackers use them to send harmful traffic to other places. The NProxy plugin lets attackers hide their location and makes it harder for security systems to catch them.
Where Else Does Necro Appear?
Besides Google Play, Necro also spreads through unofficial sources. Many users download modified versions of popular apps. These mods often promise extra features or better privacy. For instance, some popular WhatsApp mods like GBWhatsApp and FMWhatsApp contain Necro.
Apps like Spotify Plus, which provides ad-free services, also spread the malware. Even popular games, including Minecraft mods, have been infected. These modified versions are appealing but often hide severe risks.
What Can Users Do?
If a user believes their device may be infected, there are several steps to follow.
Check Installed Apps
First, check all installed apps. If you see Wuta Camera or Max Browser, uninstall them immediately. These apps are known to carry the Necro malware.
Use Security Software
Using security software helps detect and remove malware. Programs like Kaspersky, Norton, or Bitdefender can find hidden threats. Always keep security software updated to provide the best protection.
Monitor Device Behavior
Keep an eye on how your device behaves. If it experiences unusual slowdowns, unexpected ads, or drains the battery quickly, it may be infected.
Google’s Response
Google has taken action against the presence of Necro. After learning about the malware in the two apps, they removed them from the Play Store. They are also working on improving their systems to protect users better.
Google Play Protect is a process that scans apps for harmful behavior. It aims to stop malware like Necro before it can cause damage. Most Android devices have this feature turned on by default. However, users should ensure that they do.
The Importance of Caution
Users must be careful when downloading apps. Always check the app’s ratings, reviews, and the number of downloads. This helps avoid installing harmful software. Download apps only from official stores like Google Play.
