Multiple Mozilla Products Vulnerabilities
September 24, 2024CryptBot Trojan – Active IOCs
September 25, 2024Multiple Mozilla Products Vulnerabilities
September 24, 2024CryptBot Trojan – Active IOCs
September 25, 2024Severity
High
Analysis Summary
Through malicious SDK supply chain operations, a new version of the Necro malware loader for Android was installed on 11 million devices via Google Play.
This latest iteration of the Necro Trojan was installed via Android game mods, Spotify, WhatsApp, and Minecraft modifications, as well as malicious advertising software development kits (SDKs) utilized by genuine apps. Necro launches several malicious plugins and installs many payloads on compromised devices, such as:
- Adware that loads links via WebView windows that are invisible (Cube SDK, Island plugin)
- Modules that can download and run any DEX and JavaScript file (Happy SDK, Jar SDK)
- Tools (Web plugin, Happy SDK, Tap plugin) made expressly to enable subscription fraud
- Mechanisms (NProxy plugin) that transport malicious traffic through infected devices acting as proxies
Necro loader was found to be present in two popular Google Play apps, according to cybersecurity researchers. The first is Wuta Camera, a photo-editing and beautifying app developed by "Benqu," which has amassed over 10 million downloads on Google Play. Necro first surfaced in the app with version 6.3.2.148 and stayed implanted until version 6.3.6.148, at which point researchers alerted Google.
Even though the trojan was eliminated in version 6.3.7.138, Android devices may still be vulnerable to payloads that were deployed using earlier versions. Max Browser by 'WA message recover-wamr,' a legal software that had one million downloads on Google Play before being taken down in response to the discovery, is the second program that contained Necro.
It is advised that users of Max Browser delete the web browser right once and use an alternative because the most recent version of the browser—1.2.0—still contains Necro. As a result, there isn't a clean version of the browser to upgrade to. The two apps were infected by the "Coral SDK" advertising SDK, which used image steganography to download the second-stage payload, shellPlugin, under the appearance of benign PNG pictures, and obfuscation to conceal its malicious activity.
Google stated that they were looking into the reported apps and that they were aware of them. The main way that the Necro Trojan is transmitted outside of the Play Store is by way of customized apps, or mods, that were made available through unofficial websites. Researchers found some notable examples, such as the WhatsApp modifications "GBWhatsApp" and "FMWhatsApp," which offer improved privacy settings and increased file-sharing restrictions. Another is "Spotify Plus," a Spotify mod that offers free access to premium services devoid of advertisements.
The Necro loader-infected Stumble Guys, Car Parking Multiplayer, Melon Sandbox, and other famous game mods are also mentioned in the report along with their modifications for Minecraft. The malicious behavior in each case was the same; installing apps and APKs without the user's permission, leveraging invisible WebViews to interface with premium services, and displaying adverts in the background to make fraudulent income for the attackers. Although the number of infections caused by this most recent Necro Trojan wave is unknown, at least 11 million infections have come from Google Play. This is because unauthorized Android software websites do not consistently publish download figures.
Impact
- Cyber Espionage
- Unauthorized Access
- Identity Theft
- Exposure of Sensitive Data
Indicators of Compromise
MD5
- 1cab7668817f6401eb094a6c8488a90c
- 30d69aae0bdda56d426759125a59ec23
- 4c2bdfcc0791080d51ca82630213444d
- 4e9bf3e8173a6f3301ae97a3b728f6f1
- 28b8d997d268588125a1be32c91e2b92
- 52a2841c95cfc26887c5c06a29304c84
- 247a0c5ca630b960d51e4524efb16051
- b69a83a7857e57ba521b1499a0132336
- acb7a06803e6de85986ac49e9c9f69f1
- 0898d1a6232699c7ee03dd5e58727ede
- 1590d5d62a4d97f0b12b5899b9147aea
- 37404ff6ac229486a1de4b526dd9d9b6
- b3ba3749237793d2c06eaaf5263533f2
- 1eaf43be379927e050126e5a7287eb98
SHA-256
- 0a9f38a8cb6ddfbb158f5904f60d79138a318ae5b5f1f80f4a75989de869bf8f
- dd92c9c89c15e0b62a5ae49319b02f8aca7dc6a032a6d1c586544d5e652af5ec
- bca5727df65bc350f10d9bd2f311e3f69f510a25f8445258ce6ca8569e21cc17
- 551078b22ec4e8e26932c6a1f19691cc12cfc0124eefaefa20f85fa6316ce6f9
- e946d820ba7b0301582dd87caf63b4225a966802220aa8760712a6d3e7dfbfc5
- 453205bce58199320464e089de3274a2d2dd638c5361e72ae54b41642ed45b77
- f400636d1c8e8f541242384665dfa09ae70e12792ce63b6803d12233bd2d950b
- f56fbc0a8180f54dcee6f53d9c02a06e18214f4dce19b85fda76ec5300eee315
- 2001dcbde6310fd03413d7936475d50e8bbafc6bd3c62ae637af2039cb74fff1
- 3bea8e4bbbb74f36d722d603fc0724adf87ca73507388241e44d2241c27ea380
- eb4df19428f70277f691670e1a3ea67a2bf0d668a3ca97bca4d681d91eb65113
- ddc79edd45d0d6dac35b43611482799a860c5e2e0d70d81c50e39c9872fe1597
- b9eff791394f4944c9bcab7c11f7067877e6c46c321a126c59a075efc1226635
- 6557e4cbabbaf54ef952de83431468a07402fb9fc99488785d9dd240e583e0b4
SHA-1
- 7ea13405e7835e5bd67ad99a032d93ef7c052d29
- 562f37232a10e6b1f8be5b69ca07a98e2bc90095
- 2dfc78912d21ec8a499b8d75c250a44befe7ff8f
- 9dae19c79b514599992e936a583bad227ee230ab
- 55c9d69fb4163b9faf628283955f2a7ce3d04bb6
- 1fa3fcb0a85199f54bf680bd24bca4520c1ff561
- 7b8b0c6935a7234f74822eddbb70f3c2b99a3f21
- 308512b2973679ba5a3da5b21b8642673fccee6f
- 7d1a369050b3bcb2274ee3580c08d1dc36afff13
- b0ec7d54d2500df54d965e25f79c660b5192e82f
- a7f7b176af57ca9e9122bf4a0ccddb99269cde0b
- 2463f138a8f8e34095738b648a135210604a97be
- 0b2849699e4d89b1a84185e61c0144cccd653a39
- e58b18ed3e75a5c4a08354c8b6392c6dd331f18c
URL
- https://adoss.spinsok.com/plugin/shellP_100.png.png
- https://adoss.spinsok.com/plugin/shellE_30.png
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Only download apps from official app stores (Google Play Store and Apple App Store) and avoid third-party app sources.
- Review the permissions an app requests during installation. If an app asks for excessive permissions that are unrelated to its functionality, consider it a red flag.
- Never trust or open links and attachments received from unknown sources/senders.
- Encourage individuals to report any suspicious activities, emails, or messages to relevant authorities, organizations, or cybersecurity experts.
- Verify the authenticity of websites, social media profiles, and apps before providing personal information or engaging with them.
- Implement strong, multi-factor authentication (MFA) for email accounts, social media profiles, and other sensitive online services.
- Keep all software and operating systems up to date with the latest security patches to minimize vulnerabilities.
- Employ robust network security measures, including firewalls and intrusion detection systems, to detect and block malicious network traffic.
- Develop and maintain an incident response plan that outlines steps to take in case of a security breach. Ensure that individuals and organizations know how to respond effectively.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Refrain from downloading apps from unofficial sources or third-party app stores. These sources are less regulated and more prone to hosting malicious apps.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using a multi-layered protection is necessary to secure vulnerable assets.