News: 0175114735

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

11 Million Devices Infected With Botnet Malware Hosted In Google Play (arstechnica.com)

(Monday September 23, 2024 @11:30PM (BeauHD) from the here-we-go-again dept.)


Ars Technica's Dan Goodin reports:

> Five years ago, researchers made a grim discovery -- a legitimate Android app in the Google Play market that was [1]surreptitiously made malicious by a library the developers used to earn advertising revenue. With that, the app was infected with code that caused 100 million infected devices to connect to attacker-controlled servers and download secret payloads. Now, history is repeating itself. Researchers from the same Moscow, Russia-based security firm [2]reported Monday that they found two new apps, [3]downloaded from Play 11 million times , that were infected with the same malware family. The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible. [...]

>

> The researchers found Necro in two Google Play apps. One was Wuta Camera, an app with 10 million downloads to date. Wuta Camera versions 6.3.2.148 through 6.3.6.148 contained the malicious SDK that infects apps. The app has since been updated to remove the malicious component. A separate app with roughly 1 million downloads -- known as Max Browser -- was also infected. That app is no longer available in Google Play. The researchers also found Necro infecting a variety of Android apps available in alternative marketplaces. Those apps typically billed themselves as modified versions of legitimate apps such as Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. People who are concerned they may be infected by Necro should check their devices for the presence of indicators of compromise listed at the end of [4]this writeup .



[1] https://it.slashdot.org/story/19/08/27/2031240/trojan-dropper-malware-found-in-camscanner-android-app-with-100-million-downloads

[2] https://www.kaspersky.com/blog/necro-infects-android-users/52201/

[3] https://arstechnica.com/security/2024/09/11-million-devices-infected-with-botnet-malware-hosted-in-google-play/

[4] https://securelist.com/necro-trojan-is-back-on-google-play/113881/



Android Problems (Score:3)

by Arzaboa ( 2804779 )

"apps typically billed themselves as modified versions of legitimate apps such as Spotify, Minecraft, WhatsApp...."

Who downloads an app "billed" as another app? In what world would you get a counterfeit app via Google Play thinking its useful? Why would Google allow modified apps in their store?

For those that keep asking, this is why I keep it simple stupid. We pay out the wazoo for iPhones for the company so no one can side-load OR install "modified legitimate apps."

--

You can't be in love with a Google search. - Taylor Swift

Re: (Score:2)

by Oliver Wendell Jones ( 158103 )

You might want to re-read the prior sentence...

"The researchers also found Necro infecting a variety of Android apps available in alternative marketplaces."

Re: (Score:3)

by NotEmmanuelGoldstein ( 6423622 )

> "billed" as another app?

Big corporations put spyware and bloatware in their applets. There are people who remove it and share the upgraded applet. The applet should then need fewer permissions. With software, people refuse to think it's their job to check the accuracy of the advertising. They refuse to remember, no Google Play means no malware scan. That alone means one must check the permissions required to install the applet.

It's surprising the software giants haven't attacked the use of their name and logo on non-genuine

Re: Android Problems (Score:3)

by Kelxin ( 3417093 )

"For those that keep asking, this is why I keep it simple stupid. We pay out the wazoo for iPhones for the company so no one can side-load OR install "modified legitimate apps." " Might want to double check that: [1]https://www.xda-developers.com... [xda-developers.com] or [2]https://www.theverge.com/2024/... [theverge.com]

[1] https://www.xda-developers.com/how-to-sideload-apps-iphone-altstore/

[2] https://www.theverge.com/2024/1/25/24050200/apple-third-party-app-stores-allowed-iphone-ios-europe-digital-markets-act

Wait ... (Score:2)

by cascadingstylesheet ( 140919 )

> The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible. [...]

But, wait, I thought Kaspersky were eeeevil Russians and we couldn't trust them?

Used with permission.