top of page

New Android Malware Threat Infects Millions via Compromised SDKs, Experts Warn

The Android ecosystem is once again under siege by a potent new wave of malware infections. Reports from SecureList by Kaspersky highlight the latest threat, Necro Trojan, a malicious software infiltrating millions of Android devices through compromised software development kits (SDKs) embedded in apps.


The Trojan's rapid spread has been traced to a supply chain attack, where ad SDKs—widely used by app developers for integrating ads were compromised. These tainted SDKs were then incorporated into apps downloaded by millions of users. Notably, two widely distributed Play Store apps Wuta Camera by Benqu and Max Browser were found to be infected, with alarming consequences for users' devices.


Necro Trojan Infiltrates Popular Apps

Wuta Camera, a photo editing app with over 10 million downloads, was compromised between versions 6.3.2.148 (released July 18) and 6.3.6.148 (released August 20), allowing the Necro Trojan to silently install on devices. Meanwhile, Max Browser, an app downloaded over 1 million times, still contains the malware in its latest version (1.2.0), according to BleepingComputer. While Google has since removed Max Browser from the Play Store, the damage has already been done.


Unfortunately, the Trojan’s spread isn't limited to these two apps. Necro has also been detected in modified versions of popular apps like WhatsApp, Spotify, and Minecraft, which are typically distributed via unofficial websites and third-party app stores. These distribution channels make it difficult to quantify the total number of infected devices, raising concerns that the malware's reach could be even larger than currently known.


How Necro Trojan Exploits Devices

Once installed on a device, the Necro Trojan operates silently but destructively. One of its primary functions is to display adware by loading websites through invisible WebView windows. This generates ad revenue for attackers, leaving the user unaware as their device consumes data and battery life in the background. However, the Trojan’s capabilities go beyond mere ad fraud, it can also download and execute arbitrary code on the device, facilitate subscription fraud, and route malicious traffic to conceal its source.


This combination of stealth, financial exploitation, and the ability to execute malicious code presents a serious risk to Android users, particularly those relying on official app stores like Google Play, which they assume to be safe.


Google's Response and User Recommendations

Google is reportedly aware of the infected apps and the underlying Necro Trojan and is currently investigating. The tech giant's Play Protect feature, which scans apps before installation and periodically checks devices for malware, remains a critical defense tool for users. However, given the scale of Necro’s reach, users need to be proactive in protecting their devices.


If you've downloaded either Wuta Camera or Max Browser, it’s strongly advised to uninstall the apps immediately and scan your device using a reputable antivirus solution. While there is no evidence that the Necro Trojan directly compromises user accounts or sensitive data, it's wise to change your passwords as a precautionary measure.


Cybersecurity Experts Weigh In


The rise of the Necro Trojan highlights a disturbing trend in supply chain attacks, where third-party SDKs become vectors for spreading malware. While end users have little control over the SDKs integrated into their apps, cybersecurity experts argue that developers must take extra steps to ensure the safety of their code.


"While users have no control over what Software Development Kits (SDKs) are used in apps, developers of the apps can, indeed, check to make sure the SDK hasn't been tampered with,” says Katie Teitler-Santullo, Cybersecurity Strategist at OX Security. “For instance, developers should check to see if the SDK has been signed with a valid certificate and comes from a trusted source. Scanning source code for malicious content and unauthorized access helps developers identify whether the code has been altered or is vulnerable to exploit."


Teitler-Santullo also emphasized the need for thorough app security practices, adding, "It’s always best practice for AppSec teams to conduct various types of scanning including SAST, DAST, dependency, and vulnerability scans, both to find issues before apps are deployed and during runtime."


Protecting Your Device with Play Protect


Google’s Play Protect is a key defense mechanism for Android users, and it's important to ensure the feature is enabled. To check or re-enable Play Protect:

  1. Open the Google Play Store.

  2. Tap your profile icon in the top-right corner.

  3. Navigate to Play Protect → Settings.

  4. Ensure Scan apps with Play Protect is turned on.


To manually scan your device for harmful apps, simply open the Play Store, tap on your profile icon, go to Play Protect, and select Scan.


As the Necro Trojan continues to evolve, users must remain vigilant about the apps they download—even from trusted sources like the Google Play Store. By staying informed and using protective tools like Play Protect, the chances of falling victim to malware can be significantly reduced.

bottom of page