Every now and then, we learn about malicious Android apps sneaking their way onto the Play Store. The most recent discovery, however, concerns two Play Store apps containing a malware Trojan that has affected over 11 million Android devices. The same malware was also found in unofficial apps, which means the number of victims here is likely much higher.

Researchers from Kaspersky discovered a new version of the Necro Trojan, which has attacked users from two sources: On the one hand, the Necro Trojan is being delivered through legitimate apps distributed on the Google Play Store. On the other, bad actors injected their Trojan into modified apps, such as custom versions of Spotify and Minecraft, that users downloaded through unofficial means—otherwise known as sideloading.

Modified apps

Kaspersky first investigated a modified Spotify app called Spotify Plus, which advertised as offering Spotify Premium features for no charge. While the app claimed to be “Security Verified,” Kaspersky’s analysis found these claims were false, and that the app allows the Trojan to infect these devices. Researchers also found the Trojan in modified versions of WhatsApp, in both “GBWhatsApp” and “FMWhatsApp.”

In addition, Kaspersky says they found Necro in a series of game mods. That includes Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.

Kaspersky stresses that it’s impossible to say how many victims there are from these unofficial sources. All we can tally are the number of downloads from affected apps in the Play Store.

Play Store apps

Between all the affected apps Kaspersky discovered in Google’s Play Store, it turns out the Necro Trojan has infected more than 11 million Android devices. The largest app in the series by far is the Wuta Camera app, which Kaspersky says was downloaded more than 10 million times alone. The app wasn’t always malicious, either: Researchers say the Trojan first appeared in version 6.3.2.148 of the app. It has since been removed, so the app is currently safe to download.

Max Browser also contained the Trojan, and was downloaded more than one million times. The first version of this app to contain the Trojan was version 1.2.0, but since Kaspersky reported the app, Google has taken Max Browser off their app store entirely.

What Necro does

When installed on your device, Necro malware can execute a number of functions. As explained by BleepingComputer, Necro’s payloads can activate malicious plugins to run adware that opens its links with invisible windows; programs that run various scripts; programs to activate fraudulent subscriptions; and tools that route malicious traffic through your device.

In effect, your unofficial app download, or official download in the case of Max Browser and Wuta Camera, generates money for attackers as you inadvertently open advertisements and run fraudulent subscriptions in the background.

How to protect your device

The first thing you should do is scan your Android phone for any of the Play Store apps mentioned above. If you have Wuta Camera, make sure to update the app immediately, or delete it from your phone. If you have Max Browser, delete it: There is no safe version of this app.

In addition, delete any of the modified apps named in this piece if you have them on your smartphone, and be vigilant with unofficial downloads going forward. Sideloading certainly opens up more apps than are contained on the Play Store, but since there are fewer checks and regulations, you run the risk of downloading something malicious.