{"id":57196,"date":"2024-09-24T13:30:32","date_gmt":"2024-09-24T13:30:32","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/36382\/11-Million-Devices-Infected-With-Botnet-Malware-Hosted-In-Google-Play.html"},"modified":"2024-09-24T13:30:32","modified_gmt":"2024-09-24T13:30:32","slug":"11-million-devices-infected-with-botnet-malware-hosted-in-google-play","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/","title":{"rendered":"11 Million Devices Infected With Botnet Malware Hosted In Google Play"},"content":{"rendered":"<figure class=\"intro-image intro-left\"> <img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/05\/android-hack-800x534.jpg\" alt=\"A computer screen filled with ones and zeros also contains a Google logo and the word hacked.\"><figcaption class=\"caption\"><\/figcaption><\/figure>\n<aside id=\"social-left\" class=\"social-left\" aria-label=\"Read the comments or share this article\"> <a class=\"comment-count icon-comment-bubble-down\" href=\"https:\/\/arstechnica.com\/security\/2024\/09\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/?comments=1\"> <\/p>\n<h4 class=\"comment-count-before\">reader comments<\/h4>\n<p> <span class=\"comment-count-number\">38<\/span> <\/a> <\/aside>\n<p> <!-- cache hit 118:single\/related:ac7a0861a0aa5fba2356579c82f1ba64 --><!-- empty --><\/p>\n<p>Five years ago, researchers made a grim discovery\u2014a legitimate Android app in the Google Play market that was <a href=\"https:\/\/arstechnica.com\/information-technology\/2019\/08\/google-play-app-with-100-million-downloads-executed-secret-payloads\/\">surreptitiously made malicious<\/a> by a library the developers used to earn advertising revenue. With that, the app was infected with code that caused 100 million infected devices to connect to attacker-controlled servers and download secret payloads.<\/p>\n<p>Now, history is repeating itself. Researchers from the same Moscow, Russia-based security firm <a href=\"https:\/\/www.kaspersky.com\/blog\/necro-infects-android-users\/52201\/\">reported Monday<\/a> that they found two new apps, downloaded from Play 11 million times, that were infected with the same malware family. The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible.<\/p>\n<h2>Clever tradecraft<\/h2>\n<p>Software developer kits, better known as SDKs, are apps that provide developers with frameworks that can greatly speed up the app-creation process by streamlining repetitive tasks. An unverified SDK module incorporated into the apps ostensibly supported the display of ads. Behind the scenes, it provided a host of advanced methods for stealthy communication with malicious servers, where the apps would upload user data and download malicious code that could be executed and updated at any time.<\/p>\n<p>The stealthy malware family in both campaigns is known as Necro. This time, some variants use techniques such as <a href=\"https:\/\/en.wikipedia.org\/wiki\/Steganography\">steganography<\/a>, an obfuscation method rarely seen in mobile malware. Some variants also deploy clever tradecraft to deliver malicious code that can run with heightened system rights. Once devices are infected with this variant, they contact an attacker-controlled command-and-control server and send web requests containing encrypted <a href=\"https:\/\/en.wikipedia.org\/wiki\/JSON\">JSON<\/a> data that reports information about each compromised device and application hosting the module.<\/p>\n<p>The server, in turn, returns a JSON response that contains a link to a PNG image and associated metadata that includes the image hash. If the malicious module installed on the infected device confirms the hash is correct, it downloads the image.<\/p>\n<p>The SDK module \u201cuses a very simple steganographic algorithm,\u201d Kaspersky researchers explained in a <a href=\"https:\/\/securelist.com\/necro-trojan-is-back-on-google-play\/113881\/\">separate post<\/a>. \u201cIf the MD5 check is successful, it extracts the contents of the PNG file\u2014the pixel values in the ARGB channels\u2014using standard Android tools. Then the getPixel method returns a value whose least significant byte contains the blue channel of the image, and processing begins in the code.\u201d<\/p>\n<p>The researchers continued:<\/p>\n<blockquote>\n<p>If we consider the blue channel of the image as a byte array of dimension 1, then the first four bytes of the image are the size of the encoded payload in Little Endian format (from the least significant byte to the most significant). Next, the payload of the specified size is recorded: this is a JAR file encoded with Base64, which is loaded after decoding via DexClassLoader. Coral SDK loads the sdk.fkgh.mvp.SdkEntry class in a JAR file using the native library libcoral.so. This library has been obfuscated using the OLLVM tool. The starting point, or entry point, for execution within the loaded class is the run method.<\/p>\n<figure class=\"image shortcode-img center large\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/necro-steganography.png\" class=\"enlarge\" data-height=\"385\" data-width=\"683\" alt=\"Necro code implementing steganography.\"><img loading=\"lazy\" decoding=\"async\" alt=\"Necro code implementing steganography.\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/necro-steganography-640x361.png\" width=\"640\" height=\"361\" srcset=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/necro-steganography.png 2x\"><\/a><figcaption class=\"caption\">\n<div class=\"caption-text\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/necro-steganography.png\" class=\"enlarge-link\" data-height=\"385\" data-width=\"683\">Enlarge<\/a> <span class=\"sep\">\/<\/span> Necro code implementing steganography.<\/div>\n<\/figcaption><\/figure>\n<\/blockquote>\n<p>Follow-on payloads that get installed download malicious plugins that can be mixed and matched for each infected device to perform a variety of different actions. One of the plugins allows code to run with elevated system rights. By default, Android bars privileged processes from using WebView, an extension in the OS for displaying webpages in apps. To bypass this safety restriction, Necro uses a hacking technique known as a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Reflection_attack\">reflection attack<\/a> to create a separate instance of the WebView factory.<\/p>\n<p>This plugin can also download and run other executable files that will replace links rendered through WebView. When running with the elevated system rights, these executables have the ability to modify URLs to add confirmation codes for paid subscriptions and download and execute code loaded at links controlled by the attacker. The researchers listed five separate payloads they encountered in their analysis of Necro.<\/p>\n<p>The modular design of Necro opens myriad ways for the malware to behave. Kaspersky provided the following image that provides an overview.<\/p>\n<figure class=\"image shortcode-img center large\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/necro-overview.png\" class=\"enlarge\" data-height=\"2026\" data-width=\"2048\" alt=\"Necro Trojan infection diagram.\"><img loading=\"lazy\" decoding=\"async\" alt=\"Necro Trojan infection diagram.\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/necro-overview-640x633.png\" width=\"640\" height=\"633\" srcset=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/necro-overview-1280x1266.png 2x\"><\/a><figcaption class=\"caption\">\n<div class=\"caption-text\"><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2024\/09\/necro-overview.png\" class=\"enlarge-link\" data-height=\"2026\" data-width=\"2048\">Enlarge<\/a> <span class=\"sep\">\/<\/span> Necro Trojan infection diagram.<\/div>\n<\/figcaption><\/figure>\n<p>The researchers found Necro in two Google Play apps. One was Wuta Camera, an app with 10 million downloads to date. Wuta Camera versions 6.3.2.148 through 6.3.6.148 contained the malicious SDK that infects apps. The app has since been updated to remove the malicious component. A separate app with roughly 1 million downloads\u2014known as Max Browser\u2014was also infected. That app is no longer available in Google Play.<\/p>\n<p>The researchers also found Necro infecting a variety of Android apps available in alternative marketplaces. Those apps typically billed themselves as modified versions of legitimate apps such as Spotify,<em> Minecraft<\/em>, WhatsApp, <em>Stumble Guys<\/em>, <em>Car Parking Multiplayer<\/em>, and <em>Melon Sandbox<\/em>.<\/p>\n<p>People who are concerned they may be infected by Necro should check their devices for the presence of indicators of compromise listed at the end of <a href=\"https:\/\/securelist.com\/necro-trojan-is-back-on-google-play\/113881\/\">this<\/a> writeup.<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/36382\/11-Million-Devices-Infected-With-Botnet-Malware-Hosted-In-Google-Play.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":57197,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[11059],"class_list":["post-57196","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlinemalwarephonebotnetgoogle"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>11 Million Devices Infected With Botnet Malware Hosted In Google Play 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"11 Million Devices Infected With Botnet Malware Hosted In Google Play 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-24T13:30:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/05\/android-hack-800x534.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"11 Million Devices Infected With Botnet Malware Hosted In Google Play\",\"datePublished\":\"2024-09-24T13:30:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\\\/\"},\"wordCount\":806,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play.jpg\",\"keywords\":[\"headline,malware,phone,botnet,google\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\\\/\",\"name\":\"11 Million Devices Infected With Botnet Malware Hosted In Google Play 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play.jpg\",\"datePublished\":\"2024-09-24T13:30:32+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play.jpg\",\"width\":800,\"height\":534},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,malware,phone,botnet,google\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinemalwarephonebotnetgoogle\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"11 Million Devices Infected With Botnet Malware Hosted In Google Play\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"11 Million Devices Infected With Botnet Malware Hosted In Google Play 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/","og_locale":"en_US","og_type":"article","og_title":"11 Million Devices Infected With Botnet Malware Hosted In Google Play 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-09-24T13:30:32+00:00","og_image":[{"url":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/05\/android-hack-800x534.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"11 Million Devices Infected With Botnet Malware Hosted In Google Play","datePublished":"2024-09-24T13:30:32+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/"},"wordCount":806,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/09\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play.jpg","keywords":["headline,malware,phone,botnet,google"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/","url":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/","name":"11 Million Devices Infected With Botnet Malware Hosted In Google Play 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/09\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play.jpg","datePublished":"2024-09-24T13:30:32+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/09\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/09\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play.jpg","width":800,"height":534},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/11-million-devices-infected-with-botnet-malware-hosted-in-google-play\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,malware,phone,botnet,google","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinemalwarephonebotnetgoogle\/"},{"@type":"ListItem","position":3,"name":"11 Million Devices Infected With Botnet Malware Hosted In Google Play"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57196"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57196\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/57197"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}