Over 10 Million Installs: Wuta Camera Infected by Malicious SDK Capable of Loading Hacker-Written Malicious Code
Brook.X
In 2019, Kaspersky Lab noticed that CamScanner, an app with over 100 million installations on Google Play alone, was utilizing an advertising SDK that exhibited malicious behavior. This malware was subsequently named Necro.
Unexpectedly, several years later, this malicious software made a comeback. Kaspersky discovered that another popular app, Wuta Camera, had also been infected. Wuta Camera had amassed over 10 million installations on Google Play alone.
Another app found to be infected alongside Wuta Camera was a browser named Max Browser. However, the developer of this browser was listed as WA message recover-wamr, a company that Landian.news has never heard of.
Kaspersky speculated that Wuta Camera likely used certain advertising SDKs that were not rigorously vetted, and these SDKs may lack strict review processes. It was through these advertising SDKs that the Necro malware infiltrated Wuta Camera.
Wuta Camera is developed by Shanghai Benqu Network Technology Co., Ltd., a software developer based in China. Considering that Chinese users do not use Google Play to download apps, the actual number of infections could be much higher, possibly reaching tens of millions.
The primary function of the Necro malware is to download malicious modules that can load and execute any DEX file. DEX files are compiled codes written for Android. This malware can also install other apps or malicious files and use the victim's device for tunneling transmissions (turning it into an IP proxy node).
At its core, the issue revolves around advertisements. The hacking group behind Necro is primarily motivated by profit, operating by loading invisible ads, automatically interacting with them, opening any link, and running JavaScript code, essentially to defraud advertising revenue as part of a black-market operation.
Following Kaspersky's report, Wuta Camera has released a new version that removes the malicious ad SDK. The affected version was 6.3.2.148 and below, while the latest version, 6.3.7.138, has completed the cleanup process. Users are advised to upgrade to the latest version.
However, neither Kaspersky nor Wuta Camera has disclosed the operator behind the malicious ad SDK. It remains unclear whether the SDK's operator is directly linked to the Necro malware or if the advertising company had procedural loopholes that allowed Necro access.
After receiving Kaspersky's report, Max Browser, which had 1 million installs, was directly removed from Google Play. It might take some time before a new version, cleared of the malicious ad SDK, is released.
Lastly, it's important to note that outside of Google Play, Necro malware remains highly active. It's hidden in various unofficial channels' modified software, such as cracked versions of Spotify, WhatsApp, Minecraft, etc. Therefore, avoiding downloads from unofficial sources is a crucial step in ensuring safety.
