Cybersecurity researchers have revealed that malware has entered the Google Play App Store thanks to a compromised software development kit (SDK).
The malware, dubbed Necro, ended up on at least 11 million devices, and possibly many more, the Kaspersky team noted. Necro infiltrated an advertising SDK called “Coral SDK,” which was supposed to be used to integrate various advertising modules into an application. However, using steganography, the SDK implements phase-two malware capable of a number of malicious activities, including loading ads via invisible WebView windows, downloading and executing arbitrary JavaScript files, facilitating fraud, and redirecting malicious traffic.
Two seemingly legitimate applications have hijacked this SDK: a photo editing tool called Wuta Camera by ‘Benqu’ and Max Browser by ‘WA message recover-wamr’. The former has been downloaded over 10 million times, the latter over a million.
Updating defective apps
When Kaspersky discovered the malware and notified the developers, Wuta Camera was fixed and the malware was removed. If you happen to use this app, make sure to update it to version 6.3. 7. 138. Max Browser, on the other hand, is still compromised and the researchers suggest removing the app and switching to a different browser.
Google’s Play Store tracks and displays the number of downloads, which cumulatively exceed 11 million on the platform. However, compromised apps are also distributed via other means, so the number of compromised mobile endpoints is likely much higher. Kaspersky found multiple other apps distributed on third-party websites that contained the Necro malware, including modified versions of WhatsApp (GBWhatsApp and FMWhatsApp), Spotify (Spotify Plus), Minecraft, Stumble Guys, and many others.
Google is generally very diligent when it comes to protecting its app repository, but even the strongest defenses can sometimes be breached. When downloading new apps, it’s wise not to blindly trust everything you find on official stores. Instead, look at the number of downloads, ratings, and reviews.
Via BleepingComputer