Necro Trojan: A Growing Threat in the Digital Landscape
Recent findings from security researchers have unveiled a concerning trend involving certain Google Play apps and unofficial modifications of popular applications being exploited to disseminate a particularly insidious malware known as the Necro trojan. This malware exhibits a range of malicious capabilities, including keystroke logging, sensitive information theft, installation of additional malware, and remote command execution.
The Necro trojan first emerged in 2019, gaining notoriety when it infected the widely used PDF maker app, CamScanner. At that time, the official version of the app, boasting over 100 million downloads, posed a significant risk to users until a timely security patch resolved the issue.
According to a recent report by Kaspersky researchers, a new iteration of the Necro trojan has been detected within two applications on the Google Play Store: the Wuta Camera app, which has surpassed 10 million downloads, and Max Browser, with over a million downloads. Following Kaspersky’s alert, Google promptly removed the infected applications from its platform.
The Role of Modded APKs
The root of the problem lies in the proliferation of unofficial ‘modded’ versions of popular applications, frequently hosted on numerous third-party websites. Users may inadvertently download and install these modified Android application packages (APKs), thereby compromising their devices. Among the identified APKs harboring the malware are altered versions of well-known apps such as Spotify, WhatsApp, and games like Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. These modded versions often entice users with promises of features typically reserved for paid subscriptions.
Interestingly, the attackers have employed a variety of tactics to ensnare users. For instance, the Spotify mod was found to contain a software development kit (SDK) that displayed multiple advertising modules. A command-and-control (C&C) server was activated to deploy the trojan payload whenever a user inadvertently interacted with the image-based module.
Similarly, in the case of the WhatsApp mod, researchers discovered that the attackers had manipulated Google’s Firebase Remote Config cloud service, repurposing it as their C&C server. Engaging with the module would trigger the deployment and execution of the same malicious payload.
Malware Capabilities and User Impact
Once activated, the malware is capable of downloading executable files, installing third-party applications, and opening hidden WebView windows to execute JavaScript code. Alarmingly, it can also subscribe users to costly paid services without their consent.
Although the compromised apps on Google Play have been removed, users are strongly advised to exercise caution when downloading Android applications from third-party sources. If there is any doubt regarding the trustworthiness of a marketplace, it is prudent to avoid downloading or installing any apps or files from that source.