Cybersecurity researchers have revealed malware managed to sneak into the Google Play app store thanks to a compromised software development kit (SDK).
The malware, called Necro, ended up on at least 11 million devices, and quite possibly – a lot more, the team from Kaspersky noted. Necro infiltrated an advertising SDK named ‘Coral SDK’, which should have been used to integrate different advertising modules into an application. However, with steganography, the SDK deploys stage-two malware capable of a number of malicious activities, including loading ads through invisible WebView windows, downloading and running arbitrary JavaScript files, facilitating fraud, and rerouting malicious traffic.
Two seemingly legitimate applications picked up this SDK – a photo editing tool called Wuta Camera by ‘Benqu,’ and Max Browser by ‘WA message recover-wamr.’ The former has more than 10 million downloads, and the latter – one million.
Updating flawed apps
When Kaspersky discovered the malware and notified the developers – Wuta Camera was fixed, and the malware removed. If you are using this app by any chance, make sure to update it to version 6.3.7.138. Max Browser, on the other hand, is still compromised, and the researchers are suggesting deleting the app and switching to a different browser.
Google’s Play Store keeps track of, and displays, the number of downloads. Cumulatively, it is more than 11 million on the platform. However, compromised apps are being distributed through other means, too. Therefore, the number of compromised mobile endpoints is quite likely a lot bigger. Kaspersky found multiple other apps, distributed on third-party websites, carrying the Necro malware, including modded versions of WhatsApp (GBWhatsApp and FMWhatsApp), Spotify (Spotify Plus), Minecraft, Stumble Guys, and many others.
Google is usually very diligent when it comes to protecting its app repository, but even the strongest defenses can sometimes be breached. When downloading new apps, it would be wise not to blindly trust anything found on official stores. Instead, also look at the number of downloads, ratings, and reviews.
Via BleepingComputer