Five years ago, researchers discovered a legitimate Android app on Google Play that was secretly made malicious by a library used by developers to earn advertising revenue. The app was infected with code that caused 100 million infected devices to connect to servers controlled by the attackers and silently download additional malware.
History repeats itself.
Researchers from the same Moscow-based security firm they said on Monday that they found two new apps, which have been downloaded from Google Play 11 million times. The apps were infected by the same malware family. The researchers, from Kaspersky, believe that some software developer kit is responsible for embedding advertising features.
Researchers found the Necro malware in two Google Play apps. One was Wuta Camera, an app with 10 million downloads to date. Wuta Camera versions 6.3.2.148 to 6.3.6.148 contained the malicious SDK.
The app has since been updated to remove the malicious component.
A separate app with around 1 million downloads, also known as Max Browser was also infected. This app is no longer available on Google Play.
The researchers also found that Necro infects many other Android apps available in alternative stores. These apps usually appear as modified versions of legitimate apps like Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer and Melon Sandbox.
Indicators of compromise
Applications infected with the loader
Application | Version | MD5 |
Wuta Camera | 6.3.6.148 | 1cab7668817f6401eb094a6c8488a90c |
6.3.5.148 | 30d69aae0bdda56d426759125a59ec23 | |
6.3.4.148 | 4c2bdfcc0791080d51ca82630213444d | |
6.3.2.148 | 4e9bf3e8173a6f3301ae97a3b728f6f1 | |
Max Browser | 1.2.4 | 28b8d997d268588125a1be32c91e2b92 |
1.2.3 | 52a2841c95cfc26887c5c06a29304c84 | |
1.2.2 | 247a0c5ca630b960d51e4524efb16051 | |
1.2.0 | b69a83a7857e57ba521b1499a0132336 | |
Spotify Plus (spotiplus[.]xyz) | 18.9.40.5 | acb7a06803e6de85986ac49e9c9f69f1 |
GBWhatsApp | 2.22.63.16 | 0898d1a6232699c7ee03dd5e58727ede |
fmwhatsapp | 20.65.08 | 1590d5d62a4d97f0b12b5899b9147aea |
Thanks for the update You guys are awesome