Five years ago, an unsettling find was made— a legitimate Android application on the Google Play Store had been covertly compromised through a library used by developers to generate ad revenue. This resulted in the app being laced with malicious code that connected 100 million devices to hacker-controlled servers to secretly download harmful payloads.
Recently, this scenario has played out once more. Researchers at a security company based in Moscow, Russia, uncovered on Monday that two new applications, which had been downloaded 11 million times from the Google Play Store, were infected with the same type of malware. The team from Kaspersky suspects that, once again, a rogue software development kit (SDK) used for ad integration is to blame.
Advanced Malware Techniques
SDKs are tools that aid developers by providing ready-to-use frameworks which simplify the app development process by handling repetitive tasks. In the infected apps, an unvalidated SDK module was ostensibly used to facilitate ad displays. However, it also enabled secretive communication with malicious servers. These servers not only received user data from the apps but also sent back malicious code that could be executed and updated remotely at any time.
The malware, identified in both incidents as Necro, utilized sophisticated methods this round. Some versions employed steganography, a technique of hiding data which is not commonly seen in mobile malware. Additionally, some variants introduced advanced techniques to deliver harmful code capable of running with elevated system privileges. Once a device was compromised, it connected to a hacker-run command-and-control server, sending encrypted JSON data about the device and the app containing the harmful module.
The server would respond with a JSON file that included a link to a PNG image and metadata with the image’s hash. If the hash verified correctly on the infected device, the image was downloaded.
According to Kaspersky researchers in a separate report, “The SDK module employs a fairly basic steganographic method. If the MD5 verification passes, it decodes the contents of the PNG file—specifically the pixel values in the ARGB channels—using standard Android tools. The getPixel method then extracts a value, the least significant byte of which contains the blue channel, and code processing starts.”
They added:
Viewing the blue channel as a one-dimensional byte array, the first four bytes are the size of the encoded payload in Little Endian order. Following this, the payload of the stated size is recorded; this is a JAR file encoded with Base64, which is executed after being decoded via DexClassLoader. The Coral SDK then loads the sdk.fkgh.mvp.SdkEntry class from the JAR file using the native libcoral.so library, which has been obscured using the OLLVM tool. The execution starts from the ‘run’ method in the loaded class.
Subsequent payloads install malicious plugins that vary per device, enabling a range of harmful activities. One plugin allows the execution of code with elevated system privileges. Typically, Android restricts privileged processes from using WebView, a component that displays web content within apps. To circumvent this, Necro employs a hacking method known as a reflection attack to instantiate a separate WebView factory.
This plugin is also capable of downloading and executing additional executable files that manipulate URL displays in WebView. With elevated privileges, these files can alter URLs to append verification codes for paid subscriptions and to initiate downloads and executions of code from attacker-controlled links. The researchers identified five different payloads in their analysis of Necro.
The modular structure of Necro opens up numerous possibilities for the malware’s behavior. Kaspersky shared an image illustrating an overview of this structure.
The infected applications discovered included Wuta Camera, which had been downloaded 10 million times. Versions 6.3.2.148 through 6.3.6.148 of Wuta Camera contained the malicious SDK. The app has been updated since to eliminate the harmful component. Another app, Max Browser, which had approximately 1 million downloads, was also found to be infected and has since been removed from the Google Play Store.
Additionally, Necro was found in various Android apps in alternative marketplaces. These apps often posed as modified versions of legitimate applications like Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.
Individuals concerned about potential infection by Necro are advised to check their devices for signs of compromise as detailed at the conclusion of this report.
I am Sofia, a tech-savvy journalist and passionate member of the “Jason Deegan” team. Growing up, I was always fascinated by the latest technological advancements and loved sharing my knowledge with others.