Necro Malware Infects 11 Million Android Devices

A new strain of the Necro malware has infected over 11 million Android devices by exploiting vulnerabilities in apps from the Google Play Store and unofficial sources. Originally identified by Kaspersky, the Necro Trojan has evolved, spreading through malicious software development kits (SDKs) embedded in legitimate apps and popular game mods.

According to Kaspersky’s Securelist, apps such as Wuta Camera and Max Browser were among the most significant culprits. Wuta Camera, downloaded over 10 million times, carried the Necro loader until a recent update removed the malicious code. Max Browser had over 1 million downloads before being removed from Google Play entirely.

Google has since confirmed that the infected versions of all affected apps were removed, stating, "All of the malicious versions of the apps identified by this report were removed from Google Play prior to report publication."

This is not the first time malware has gone undetected on the Google Play Store. A recent report uncovered that spyware had remained undetected on the platform for years, exposing millions of users to potential privacy breaches.

The Register reported that outside the Play Store, Necro has spread through modified versions of popular apps like Spotify and WhatsApp, often downloaded from unofficial sources. These mods promise enhanced features but instead deliver malware to users’ devices. Kaspersky researcher Dmitry Kalinin noted that these infected mods have become a real problem.

Necro’s payloads include adware that generates revenue for attackers, tools for subscription fraud, and modules that turn infected devices into proxies for routing malicious traffic. Particularly concerning is Necro’s use of steganography, a technique that hides its malicious code within PNG image files, making detection harder. BleepingComputer highlighted the sophisticated methods the malware uses to evade detection and spread to millions of devices.

The malware also targets game mods, such as Minecraft and Stumble Guys, which appeal to younger users who may be unaware of the risks of downloading unofficial software. Kaspersky has blocked over 10,000 Necro-related attacks, with the highest numbers seen in countries like Russia, Brazil, and Vietnam.

Just last year, the discovery of the Xamalicious malware, which infected over 330,000 Android devices, showed the ongoing challenges Android users face when it comes to mobile malware.