The Evolution of Necro
In 2019, cybersecurity experts unearthed a seemingly legitimate Android application on the Google Play Store that had been subtly undermined by an ad library implemented by its developers. This breach led to a staggering 100 million devices falling victim to the malware. Fast forward five years, and Kaspersky has reported the return of the Necro Trojan, now affecting around 11 million Android users worldwide. This latest iteration has evolved, boasting new features and infiltration techniques that render it more adaptable, elusive, and potentially more hazardous than its predecessor.
The malware primarily disseminates through unverified ad integration tools employed by app developers, unofficial app sources, and modified versions of widely-used applications. Alarmingly, it has even infiltrated the Google Play Store, affecting apps like Wuta Camera and Max Browser.
Key Differences in the New Version
This reincarnation of the Necro Trojan exhibits several notable distinctions from its original form. It employs sophisticated obfuscation techniques to evade detection, with its malicious payload cleverly concealed within innocuous-looking PNG images. Moreover, various malicious modules can be combined for diverse actions on compromised devices.
While the original version infiltrated apps through an unverified ad integration tool, the new variant is believed to exploit a malicious software development kit designed for ad integration. This time, the Necro Trojan has successfully infiltrated multiple applications on Google Play, including:
- Wuta Camera – 10 million downloads
- Max Browser – 1 million downloads
- Modded versions of Spotify
- Unofficial mods for WhatsApp, Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox
In 2019, Kaspersky identified the malware within CamScanner, a text recognition app that had amassed over 100 million downloads on Google Play.
Malicious Capabilities
Once activated, the Necro Trojan possesses a range of malicious capabilities, including:
- Downloading and executing DEX files
- Installing additional applications
- Tunneling through the victim’s device to facilitate the routing of malicious traffic or circumventing network security
- Subscribing to paid services without user consent
- Interacting with ads in invisible windows to generate fraudulent ad revenue for the attackers
- Opening arbitrary links to execute JavaScript code
- Uploading user data to attacker-controlled servers
- Downloading malicious code with elevated system privileges
Precautionary Measures
To safeguard against the Necro Trojan, users are encouraged to adopt some straightforward yet effective precautions:
- Avoid downloading apps from unofficial sources.
- Exercise caution even with applications sourced from official platforms.
- Steer clear of modded or hacked versions of apps.
- Utilize reputable mobile security software for added protection.
The resurgence of the Necro Trojan serves as a stark reminder of the persistent threat posed by mobile malware, having already compromised 11 million devices globally. This situation underscores the critical need for users to exercise caution when downloading and utilizing mobile applications. With Necro now active, vigilance is paramount, particularly regarding modified versions of popular apps. Users are advised to meticulously verify the source and permissions of any application prior to installation.