Necro Trojan on Google Play
The emergence of a new version of the Necro malware loader has raised significant concerns in the cybersecurity landscape, particularly for Android users. This sophisticated malware has infiltrated approximately 11 million devices through Google Play, leveraging malicious software development kits (SDKs) embedded in legitimate applications. These SDKs were found in various Android game modifications and altered versions of widely-used software, including Spotify, WhatsApp, and Minecraft.
Once installed, the Necro Trojan deploys a range of harmful payloads, activating a variety of malicious plugins designed to exploit users. The notable functionalities include:
- Adware: Operates through invisible WebView windows, utilizing plugins such as Island and Cube SDK.
- Modules: Capable of downloading and executing arbitrary JavaScript and DEX files through Happy SDK and Jar SDK.
- Tools: Specifically crafted to facilitate subscription fraud, including Web plugin, Happy SDK, and Tap plugin.
- Mechanisms: Repurpose infected devices as proxies to route malicious traffic, exemplified by the NProxy plugin.
Kaspersky’s investigation unveiled the presence of the Necro loader in two popular applications available on Google Play, both boasting substantial user bases. The first, Wuta Camera by ‘Benqu,’ is a photo editing tool that has garnered over 10 million downloads. The malware was introduced with version 6.3.2.148 and persisted until version 6.3.6.148, at which point Kaspersky alerted Google. Although the trojan was eradicated in version 6.3.7.138, remnants of the malware may still linger on devices that had previously installed the affected versions.
The second app identified as a carrier of the Necro Trojan is Max Browser by ‘WA message recover-wamr,’ which had amassed 1 million downloads before its removal following Kaspersky’s findings. The latest version, 1.2.0, still harbors the malware, leaving users with no clean upgrade option. Kaspersky advises immediate uninstallation of Max Browser in favor of safer alternatives.
The analysis revealed that both applications were compromised via an advertising SDK named ‘Coral SDK,’ which utilized obfuscation techniques to conceal its malicious intent. Additionally, it employed image steganography to download a secondary payload, shellPlugin, disguised as innocuous PNG images.
Outside Official Sources
Beyond the confines of the Play Store, the Necro Trojan predominantly spreads through modified versions of popular applications available on unofficial websites. Kaspersky has identified several notorious examples, including WhatsApp mods like ‘GBWhatsApp’ and ‘FMWhatsApp,’ which claim to offer enhanced privacy features and extended file-sharing capabilities. Another example is the Spotify mod, ‘Spotify Plus,’ which promises free access to premium services without advertisements.
The report also highlights the prevalence of Minecraft mods and other game modifications, such as those for Stumble Guys, Car Parking Multiplayer, and Melon Sandbox, all of which have been compromised by the Necro loader. In each instance, the malware’s behavior remains consistent—displaying ads in the background to generate revenue for cybercriminals while compromising user security.
In response to these revelations, Google acknowledged awareness of the reported applications and stated that they are currently investigating the matter.