Some Google Play apps and unofficial mods of popular apps are being targeted by attackers for spreading dangerous malware, according to security researchers. The alleged Necro Trojan is capable of logging keystrokes, stealing sensitive data, installing additional malware and executing commands remotely. Two apps in the Google Play app store were spotted with this malware. Furthermore, modded (modified) Android application packages (APKs) of applications such as Spotify, WhatsApp and games such as Minecraft have also been detected in the distribution of Trojans.
Google Play Apps, modded APKs used to spread the Necro Trojan
The Trojan from the Necro family was first noticed in 2019 when the malware infected the popular PDF creation application CamScanner. The official version of the app on Google Play with more than 100 million downloads posed a risk to users, but a security patch fixed the problem at the time.
According to an announcement by Kaspersky researchers, a new version of the Necro Trojan has now been spotted in two Google Play apps. The first is Wuta Camera app which has been downloaded more than 10 million times and the second is Max Browser with more than 1 million downloads. Researchers have confirmed that Google removed the infected apps after Kaspersky reached out to the company.
The main problem stems from the large number of unofficial ‘modified’ versions of popular applications, which are hosted on a large number of third-party websites. Users can mistakenly download and install them on their Android devices, infecting them in the process. Some of the malware APKs spotted by researchers include modded versions of Spotify, WhatsApp, Minecraft, Stumble Guys, Car Parking Multiplayer and Melon Sandbox — these modded versions promise users access to features that normally require a paid subscription.
Interestingly, attackers appear to be using a variety of methods to target users. For example, the Spotify mod contained an SDK that displayed multiple advertising modules, according to the researchers. A command and control (C&C) server was used to deploy a Trojan payload if a user accidentally touched an image-based module.
Similarly, in WhatsApp mode, attackers were found to have overwritten Google’s Firebase Remote Config cloud service to use it as a C&C server. Ultimately, interacting with the module would deploy and execute the same payload.
Once installed, the malware can “download executable files, install third-party applications, and open arbitrary links in invisible WebView windows to execute JavaScript code,” noted Kaspersky’s announcement. Furthermore, it can also subscribe to expensive paid services without the user’s knowledge.
Although the apps on Google Play have already been removed, users are urged to exercise caution when downloading Android apps from third-party sources. In case they do not trust the market, they should refrain from downloading or installing any application or file.