HQ/EMEAFind out how we can help your business
A new wave of Android malware known as the Necro malware loader has infected 11 million devices through Google Play, marking one of the most significant recent malware outbreaks.
This malware was introduced via malicious advertising software development kits (SDKs) integrated into legitimate apps, as well as modified versions of popular software such as WhatsApp, Spotify, and Minecraft.
The Necro malware loader is highly adaptable, delivering a variety of malicious payloads to compromised devices.
Among its harmful activities, the malware loads ads invisibly in the background to generate fraudulent revenue, installs apps and APKs without the user’s consent, and uses infected devices as proxies to route malicious traffic. It also includes tools designed to carry out subscription fraud, allowing attackers to exploit services without the victim’s knowledge. Some of the plugins involved in these activities include Island, Cube SDK, Happy SDK, and NProxy, each responsible for different components of the malware’s behaviour.
Two notable apps were identified as sources of Necro malware loader on Google Play: Wuta Camera, a photo editing tool, and Max Browser, both of which had a large user base. Wuta Camera had over 10 million downloads, and the malware was embedded in its versions 6.3.2.148 through 6.3.6.148, remaining active until Kaspersky flagged the issue. Although the malware was removed in version 6.3.7.138, users who installed the infected versions are still vulnerable. Max Browser, with over 1 million downloads, remains infected in its latest version, 1.2.0, leading security experts to recommend uninstalling it immediately.
The malware was distributed using the Coral SDK, which employed obfuscation techniques and image steganography to hide its second-stage payload. These advanced tactics allowed the malware to remain undetected for extended periods, continuing to infect devices.
Outside of the Google Play Store, Necro malware loader was also found in modified versions of popular apps distributed through unofficial websites. Mods such as GBWhatsApp, FMWhatsApp, and Spotify Plus were among the infected apps, along with mods for games like Minecraft and Stumble Guys. In all cases, the malware generated revenue through fraudulent advertising in the background and carried out other harmful activities without the user’s consent.
While the number of infections from unofficial sources is unclear, the confirmed total from Google Play alone stands at 11 million devices, underscoring the scale of the attack and the continued risk it poses to Android users globally.
