
Most modern software products incorporate components from various third-party vendors, open-source libraries, and APIs.
This approach helps speed up development, reduce costs, and enhance functionality by leveraging pre-built solutions instead of developing everything from scratch. However, it also introduces challenges related to security, compatibility, and dependency management.
Around five years ago, researchers from Kaspersky Lab reported that a legitimate Android app on the Google Play Store that had been unknowingly compromised through an advertising library used by the developers to generate revenue.
This hidden malicious code inside the app called CamScanner, a text recognition app, led to 100 million devices being infected, causing them to connect to attacker-controlled servers and download covert payloads.
Now, history seems to be repeating itself.
Researchers from the same Moscow, Russia-based security firm reported that they found new apps, downloaded from Play 11 million times, that were infected with the same malware family.
Regular readers of our blog may recall when we wrote about 'Necro', which we first wrote about it way back in 2019. Back then, we discovered a Trojan in CamScanner which had managed to clock up over 100 million downloads on Google Play.
Fast-forward to today and the trojan has… pic.twitter.com/F1je1eMxfz— Kaspersky (@kaspersky) September 23, 2024
The researchers believe a malicious software developer kit for integrating advertising capabilities is once again responsible.
In a blog post from the cybersecurity firm, the researchers blamed the 'Necro' trojan for being the culprit.
The researchers said that the malware is found being distributed via official apps on the Google Play Store, unofficial modded versions of popular apps and in Android game mods.
What exactly happens in this case, the Necro trojan can be installed through malicious advertising software development kits (SDK).
SDKs are essentially apps that provide developers with frameworks that can greatly speed up the app-creation process by streamlining repetitive tasks.
An unverified SDK module incorporated into the apps ostensibly supported the display of ads. Behind the scenes, it provided a host of advanced methods for stealthy communication with malicious servers, where the apps would upload user data and download malicious code that could be executed and updated at any time.
In this case, once an app with the Necro-infected SDK is installed on an Android device, the malware can quickly download additional payloads that are used to activate a number of malicious plugins. From adware to subscription fraud to using infected devices as proxies to send malicious traffic, this malware is extremely versatile as a result of these plugins.
The SDK module “uses a very simple steganographic algorithm," explained Kaspersky researchers in a separate post.
“If the MD5 check is successful, it extracts the contents of the PNG file—the pixel values in the ARGB channels—using standard Android tools. Then the getPixel method returns a value whose least significant byte contains the blue channel of the image, and processing begins in the code.”
Not only that Necro is dangerous, because it's also stealthy.
According to the researchers, some variants of the Necro use techniques such as steganography, an obfuscation method rarely seen in mobile malware. Some variants also deploy clever trade craft to deliver malicious code that can run with heightened system rights.

According to Kaspersky Labs' findings, the dangerous trojan which has resurfaced to infect at least 11 million devices.
The first and most downloaded app on the Play Store is Wuta Camera, which lets users take pictures, touch them up and add a number of effects. This app alone was downloaded 10 million times.
The next official app infected with the Necro trojan is a web browser called Max Browser with one million downloads.
Kaspersky also found the Necro trojan lurking in a modified version of the Spotify Plus app.
Users were invited to download a new version of the app from an unofficial source. However, unlike with the official Spotify app, this version was free and came with an unlocked subscription. This should have been a red flag but some unsuspecting users decided to download and install it despite the risk which led to their phones being infected with the Necro trojan.
Finally, Kaspersky found the Necro trojan lurking in mods for WhatsApp, Minecraft and other popular games including Stumble Guys, Car Parking Multiplayer and Melon Sandbox.

When it comes to dealing with malware, the first and most important thing people can do is to avoid downloading apps from unofficial sources. Sideloading apps may be easy and convenient but doing so can also be extremely dangerous. This is why users should stick to official app stores like the Google Play Store, Samsung Galaxy Store and the Amazon Appstore.
But finding Necro deep inside Google Play Store means that users are not safe, even when they download legitimate apps from the safest app store for Android.
This is where users should always remain vigilant.
Before downloading any app, they have to at least check their ratings and reviews first.
As these can be faked though, it’s always a good idea to look for a video review online, so that they can see the app in question in action before downloading it.