How Necro Spreads
In late August 2024, a Spotify mod known as Spotify Plus caught our attention. This version, available for download on various unofficial sites, claimed to offer a plethora of features absent in the official app. To assess its safety, we conducted a thorough analysis of the latest version. Our findings revealed that the mod incorporated a custom Application subclass that initialized an SDK named adsrun, designed to integrate multiple advertising modules. Upon activation, this SDK communicated with a command-and-control server, transmitting encrypted data regarding the compromised device.
The server's response included an error code indicating successful execution, along with a link to download a PNG file containing a hidden payload. This file, intriguingly named “shellP,” suggested a concealed functionality within its pixel values. The process of extracting this payload employed a straightforward steganographic technique, ultimately leading to the execution of malicious code.
Popular Applications in Google Play Are Infected with Necro
Our telemetry search revealed that the Necro loader had also embedded itself within legitimate applications available on Google Play, impacting a user base exceeding 11 million Android devices. Notable examples include the Wuta Camera app, which had been downloaded over 10 million times. The Necro loader was detected starting from version 6.3.2.148, and upon reporting the malicious code, Google promptly removed it from subsequent updates.
Similarly, the Max Browser app, with over a million installations, was found to contain the Necro loader from version 1.2.0 onwards. Following our notification, Google took action to remove the infected version from their platform.
WhatsApp Mods with the Necro Loader
In addition to mainstream applications, we identified WhatsApp mods circulating in unofficial channels that harbored the Necro loader. These applications exhibited a unique operational pattern, utilizing Google’s Firebase Remote Config as a command-and-control mechanism. The malicious code demonstrated a high probability of execution, contingent upon specific conditions being met during runtime.
Other Infected Applications
Our investigation did not end there; we also uncovered infected game mods, including popular titles such as:
- Minecraft
- Stumble Guys
- Car Parking Multiplayer
- Melon Sandbox
The breadth of infected applications across various platforms underscores the necessity for vigilance in app sourcing. Our security solutions have successfully identified and flagged these threats, reinforcing the importance of using trusted sources for application downloads.
The Necro Lifecycle in the Wild: How the Payload Works
Through rigorous analysis, we obtained several payload samples executed by the Necro loader. These payloads exhibited characteristics consistent with the Necro family, including interactions with known command-and-control domains. The modular architecture of the malware allows for flexible updates and the introduction of new malicious modules, adapting to the evolving landscape of mobile threats.