Necro Trojan Malware Resurfaces in Google Play and Modded Apps

Necro Trojan Malware Resurfaces in Google Play and Modded Apps

Threat Group: Necro Trojan Operators
Threat Type: Android Trojan Downloader
Exploited Vulnerabilities: Supply chain attack via SDKs in Android apps
Malware Used: Necro Trojan (Trojan-Downloader.AndroidOS.Necro variants)
Threat Score: High (8.2/10) — Due to large-scale infiltration and the advanced use of steganography for payload concealment.
Last Threat Observation: September 15, 2024, by Kaspersky Lab


Overview

The Necro Trojan has resurfaced, exposing more than 11 million devices to malware infections through both official Google Play apps and modded versions of popular apps like Spotify and WhatsApp. First discovered in 2019, the Necro dropper primarily installs other malware on infected devices. This new campaign follows a similar trajectory but introduces steganography to hide its payload in images, a rare and sophisticated technique for mobile malware.

Kaspersky researchers highlighted that the trojan continues to affect both apps on Google Play and apps downloaded from unofficial sources. While Google has addressed some of these issues by removing or updating the infected apps like Wuta Camera and Max Browser, the scale of infections remains significant.


Key Details:

  • Delivery Method: Infected apps on Google Play (e.g., Wuta Camera, Max Browser) and modded apps on unofficial platforms (e.g., Spotify Plus, WhatsApp mods).
  • Targets: Android users globally, particularly those downloading apps from third-party platforms.
  • Obfuscation: Uses steganography to hide malicious payloads in PNG images.
  • Functions:
    • Downloads and installs additional malware.
    • Displays ads in invisible windows to generate fraudulent revenue.
    • Subscribes users to paid services without their knowledge.
    • Uses infected devices as proxies for malicious traffic.

Attack Vectors

The Necro Trojan infiltrates apps available on Google Play and modded apps from unofficial websites. The malware is embedded in third-party advertising SDKs such as Coral SDK, which communicates with command-and-control (C2) servers to download the second-stage payload. Once the payload is retrieved, it installs additional malicious modules that:

  • Display ads invisibly using WebView windows.
  • Download and execute additional code.
  • Subscribe users to premium services without their consent.

Affected Applications

  1. Wuta Camera: A selfie app developed by Shanghai Benqumark Network Technology, with over 10 million downloads on Google Play. The infected versions (from 6.3.2.148 to 6.3.6.148) contained the Necro loader. After Kaspersky’s report, the malware was removed in version 6.3.7.138.
  2. Max Browser: Marketed as a privacy-focused browser, it was downloaded over 1 million times. The app was removed from Google Play after Kaspersky's disclosure of its infection.
  3. Spotify Plus: A modified version of Spotify, hosted on unofficial websites, claimed to offer premium features for free but was found to contain Necro malware.

Known Indicators of Compromise (IoCs)

  • File Hashes:
    • MD5: 1cab7668817f6401eb094a6c8488a90c (Wuta Camera)
    • SHA256: fa217ca023cda4f063399107f20bd123 (shellPlugin)
  • C2 Servers:
    • 47.88.246[.]111
    • hsa.govsred[.]buzz
  • Affected Apps:
    • Wuta Camera (versions 6.3.2.148 to 6.3.6.148)
    • Max Browser (version 1.2.0)
    • Spotify Plus (spotiplus[.]xyz)

Mitigation and Prevention

  1. Uninstall Affected Apps: Immediately remove infected versions of Wuta Camera, Max Browser, and any modded versions of Spotify or WhatsApp.
  2. Use Official Sources: Only download apps from official sources, avoiding third-party app stores and unofficial mod websites.
  3. Antivirus Protection: Deploy up-to-date antivirus solutions that can detect Necro variants.
  4. Regular Software Updates: Ensure your Android system and apps are regularly updated to reduce vulnerabilities.

Podcast Discussion

 

audio-thumbnail
Necro Trojan Malware Resurfaces in Google Play and Modded Apps
0:00
/528.92

Conclusion

The Necro Trojan is a persistent and dangerous threat to Android users, particularly those who download modded apps from unofficial sources. Its use of steganography and other obfuscation techniques, combined with its distribution via legitimate platforms like Google Play, makes it a formidable adversary. Vigilance in app downloading practices, coupled with robust security measures, is critical in preventing future infections.


Sources:

  1. Kaspersky Lab, “Necro Trojan Infiltrates Google Play Again”
  2. BleepingComputer, "Necro Trojan Infects 11 Million Devices"
  3. The Register, "Necro malware continues to haunt Android mods"
  4. SecurityWeek, "Necro Trojan in Google Play Apps"