Security researchers have discovered that malicious malware is being spread by attackers through unofficial mods of popular apps and some Google Play apps.
The alleged Necro Trojan has the ability to install additional malware, log keystrokes, steal sensitive information, and execute commands remotely. Two apps in the Google Play store appear to contain this malware.
Additionally, it was discovered that the trojan was being distributed by modded (modified) Android application packages (APKs) of games like Minecraft and apps like Spotify and WhatsApp.
The well-known PDF creator program CamScanner was infected with malware in 2019, marking the first detection of a trojan from the Necro family.
Users were warned about the risk by the official version of the Google Play store app, which has over 100 million downloads, but at the time a security patch resolved the problem.
Two Google Play apps have been found to contain a new variant of the Necro Trojan, as per a post by Kaspersky researchers. The first is the Wuta Camera software which has been downloaded more than 10 million times, and the second is Max Browser with more than a million downloads.
The researchers have verified that once Kaspersky contacted Google, the corporation removed the malicious apps.
The primary cause of the problem is the abundance of unofficial "modded" versions of well-known apps that are available on numerous third-party websites. On their Android devices, users can mistakenly download and install them, infecting them in the process, NDTV reported.
Researchers have discovered that some of the APKs containing the malware include modified versions of Spotify, WhatsApp, Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox — these modded versions guarantee users access to features that are normally exclusive to subscribers who pay for them.
It is interesting to note that the attackers seem to be targeting consumers using a variety of methods. For example, the researchers found that the Spotify mod had an SDK that displayed multiple ad modules. If the user inadvertently touched the image-based module, a trojan payload would be deployed via a command-and-control (C&C) server.
Similar to this, it was discovered that the attackers in the WhatsApp mod had modified Google's Firebase Remote Config cloud service to use it as the C&C server. In the end, engaging with the module would cause the payload to deploy and run.
Once deployed, the malware could “download executable files, install third-party applications, and open arbitrary links in invisible WebView windows to execute JavaScript code,” highlighted the Kaspersky post. It might also, without the user's knowledge, subscribe to expensive paid services.
Users are advised to exercise caution when installing Android apps from unaffiliated sources, even though the apps listed on Google Play have already been removed. They should not download or install any apps or files if they do not trust the marketplace.