Necro Malware Infects Popular Android Apps: Google Play and Beyond

At the end of August, Kaspersky Lab specialists detected the activity of malware known as Necro, which infiltrated popular applications on the Google Play platform as well as unofficial sources. Necro is an Android downloader capable of fetching and executing various malicious modules on the victim’s device. Infections have been identified in Brazil, Russia, Vietnam, Ecuador, and Mexico.

The malware boasts extensive capabilities. Necro can download modules onto the device that display advertisements in hidden windows and automatically click through them, download executable files, and install third-party applications. It can also open arbitrary links in WebView, execute JavaScript code, and likely initiate paid subscriptions. Furthermore, attackers can redirect internet traffic through infected devices, using them as proxies to bypass restrictions and create botnets.

One of the first applications infected by Necro was a modified version of Spotify Plus, which circulated on unofficial platforms. The description claimed the app was safe and offered enhanced features compared to the official version. In addition, experts discovered infected versions of WhatsApp and popular games such as Minecraft, Stumble Guys, and Car Parking Multiplayer. Necro infiltrated these apps through a malicious ad module.

The threat posed by Necro was not confined to unofficial platforms. The malware was also found in Wuta Camera and Max Browser, both available on Google Play. According to the platform, these applications have been downloaded over 11 million times. Necro made its way into the programs via an unchecked advertising module.

After Google was notified, the malicious code was removed from Wuta Camera, and Max Browser was completely removed from the store. However, the risk of infection remains for users downloading apps from unofficial sources.

Of particular interest is the fact that this version of Necro employed steganography—a method of concealing data within images—to mask its malicious activity. Such techniques are rarely seen in mobile threats.

To protect their devices, users are advised to download applications exclusively from official sources, regularly update their operating systems, and use trusted antivirus solutions.