In a troubling development, the Necro Trojan has resurfaced on Google Play, infecting popular applications and reaching millions of Android devices worldwide.
Kaspersky’s cybersecurity researchers discovered the Necro malware in various apps, including some available on official app stores like Google Play and others distributed through unofficial websites. This is not the first time Necro has exploited official channels—its previous attack in 2019 impacted over 100 million users.
This new wave of infections is similarly alarming, with affected apps reaching over 11 million devices.
Malware Hidden in Popular Apps
The latest version of the Necro Trojan has been found in modified versions of well-known applications such as Spotify and Minecraft. In particular, a Spotify mod called Spotify Plus, downloaded from unofficial sources, was flagged for containing the malicious code. The mod falsely claimed to offer enhanced features and safety certifications, but instead, it initiated a complex malware operation.
One of the infected apps, the Wuta Camera, had been downloaded over 10 million times on Google Play. Once the malware was detected, Google swiftly removed the infected version. However, many users had downloaded compromised versions before the discovery, showcasing the Trojan’s ability to spread undetected.
Advanced Obfuscation Techniques
Necro employs sophisticated techniques to avoid detection. The malware uses obfuscation and steganography to hide its payload in app files, making it harder for security tools to identify the threat. The malware, concealed in PNG image files, evades traditional security measures by hiding in plain sight, awaiting instructions from its command-and-control (C2) servers.
Once activated, the Trojan can perform various harmful actions, including displaying ads in invisible windows, downloading and executing files, opening arbitrary links, and even subscribing users to paid services without their consent. The Trojan also exploits the victim’s device to create tunnels, enabling cybercriminals to carry out malicious activities unnoticed.
Necro’s Spread and Evolution
The distribution of the Necro Trojan is not limited to Google Play. Researchers have found multiple infected mods on unofficial websites, including modded versions of WhatsApp. These infected apps share similar malicious behavior, including the ability to download and run secondary payloads from C2 servers.
Interestingly, the latest versions of Necro use Google’s Firebase Remote Config service to store and retrieve malicious files, a tactic that adds another layer of complexity to the malware’s operations. Random number generation is also used to determine when the malware executes its payload, making detection even more challenging.
A Growing Threat
Necro’s ability to infiltrate official and unofficial app sources demonstrates the growing sophistication of malware targeting Android users. By using trusted platforms like Google Play, the Trojan authors have exploited widespread apps, putting millions of users at risk.
While Google Play has taken steps to remove infected apps, malware in widely used applications reminds us of the importance of vigilance. Android users are urged to avoid downloading apps from unofficial sources and ensure their devices are equipped with up-to-date security solutions.
The Necro Trojan continues to evolve, using ever more complex methods to deliver its payload. As it adapts, cybersecurity experts must develop new strategies to keep up with the malware’s growing threat.
Better than Cure
“The Necro Trojan has again managed to attack tens of thousands of devices worldwide. This new version is a multi-stage loader that used steganography to hide the second-stage payload, a very rare technique for mobile malware, and obfuscation to evade detection,” the researchers said. “The modular architecture gives the Trojan’s creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application.”
To avoid being infected with this malware, Kaspersky recommends:
- If you have any of the Google Play apps installed and the versions are infected, update the app to a version where the malicious code has been removed or delete it.
- Download applications from official sources only. Applications installed from unofficial platforms may contain malicious functionality.
- Use a reliable security solution to protect your device from attempts to install malware.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.