Writing about malware for Android devices suddenly seems like a regular activity. Some of the malicious software stories we have covered this year include “Dangerous new malware uses cookies to break into Google accounts,” “A new Android malware is emptying bank accounts and wiping devices,” and “Trojans disguised as Google Play updates are the next big threats to your data.” A new wave of infections is also starting to surface.
A new Necro Trojan that has been covertly infecting millions of Android devices through malicious SDK supply chain assaults employing misconfigured advertising SDKs was revealed in a study by antivirus provider SecureList by Kaspersky (via BleepingComputer). Two Play Store apps—the since-removed Max Browser and Benqu’s Wuta Camera—were determined to include the malware. The Necro Trojan was present in the former, which has more than 10 million downloads, from version 6.3.2.148 (July 18) until version 6.3.6.148 (August 20).
According to BleepingComputer, Max Browser was downloaded more than a million times prior to its removal from the Play Store. The malware is still present in its most recent version, 1.2.0.
Necro’s reach has also been observed to include modified versions of well-known programs, such as Minecraft, Spotify, and WhatsApp, which are typically distributed through unofficial websites and app stores and whose reach is therefore impossible to measure.
What does the Necro Trojan do?
The Trojan’s main method of infection is the installation of adware, which causes webpages to load through undetectable WebView windows and essentially generates advertising revenue for the attacker at your expense.
In addition, the Trojan can help with subscription fraud, download and run arbitrary code on the compromised device, and route malicious traffic so that its origin may be more difficult to determine.
Google worked quickly towards a fix
Following the release of this article, Android Police received the following response from a Google representative:
All of the malicious versions of the apps identified by this report were removed from Google Play prior to report publication. Android users are automatically protected against known versions of this malware by Google Play Protect , which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.
For the majority of users, this indicates that the issue has already been resolved; still, it serves as a reminder to all of us to carefully consider any software before downloading it. It would be wise to swiftly remove the app and run a reliable antivirus scan on your device if you think you may have downloaded one of the contaminated ones. Even while it does not appear that the Trojan was accessing user accounts, it would still be a good idea to update any significant passwords.
Google said that in these kinds of circumstances, the Play Store’s Play Protect feature—which effectively performs a safety check on apps on the Play Store before you install them—is invaluable and ought to be left turned on. Along with alerting you to apps that may be able to access your personal data, the program can also scan your smartphone for malicious apps after they have been downloaded and installed.
Play Protect is on by default, but if you’ve previously disabled it for any reason, here’s how you can turn it back on:
- Open Google Play Store.
- Tap on your profile icon on the top right.
- Tap Play Protect → Settings.
- Enable Scan apps with Play Protect.
To scan your device via Play Protect, simply navigate to the Play Store → profile icon → Play Protect → Scan.