New Necro Trojan Variant Targets Android Users via Google Play Apps

Emerging Threat: The Necro Trojan Targets Android Users

In a concerning development for Android users, security researchers at Kaspersky have unveiled a new variant of the Necro trojan, which is infiltrating devices through both legitimate Google Play applications and altered APKs found on unofficial websites. This sophisticated malware poses a significant risk, with capabilities that include stealing sensitive information, installing additional malicious software, and executing commands remotely on compromised devices.

Kaspersky’s investigation led to the identification of two infected applications on the Google Play Store:

• Wuta Camera: Over 10 million downloads.
• Max Browser: Over 1 million downloads.

Following Kaspersky’s alert, Google promptly removed these applications from its platform to safeguard users.

Moreover, the researchers found the Necro trojan hidden within unofficial “modded” versions of popular applications such as Spotify, WhatsApp, Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. These modified APKs, often marketed as offering premium features at no cost, are prevalent on third-party sites and represent a substantial threat to unsuspecting users.

Understanding the Necro Trojan’s Capabilities

The distribution methods employed by the attackers are varied and cunning. For instance, in the Spotify mod, an embedded SDK was used to present advertising modules. If a user interacted with a particular image-based module, the trojan payload would be activated from a command-and-control (C&C) server. Similarly, the WhatsApp mod utilized Google’s Firebase Remote Config cloud service as a C&C server, deploying the trojan upon user engagement with a designated module.

Once the Necro trojan has infiltrated a device, it can execute a multitude of harmful actions, including:

• Downloading and installing additional malicious files and applications.
• Opening invisible browser windows to run harmful JavaScript code.
• Subscribing users to costly paid services without their consent.
• Stealing sensitive data, including login credentials and financial information.

Guidance for Users

While the infected apps on Google Play have been removed, the threat from modded APKs continues to loom large. Kaspersky offers the following recommendations to help users protect themselves:

1. Avoid downloading applications from untrusted third-party sources.
2. Only install apps from official app stores like Google Play.
3. Exercise caution with apps that claim to provide premium features for free.
4. Consider installing a reputable mobile antivirus solution to enhance security.