In a concerning turn of events, the Necro Trojan has made a comeback on Google Play, infiltrating widely-used applications and affecting millions of Android devices globally. Kaspersky’s cybersecurity experts have identified the Necro malware within various applications, including some that are available on official app stores like Google Play, as well as those distributed through unofficial channels. This is not the first instance of Necro exploiting legitimate platforms; its previous attack in 2019 impacted over 100 million users. The current wave of infections is equally troubling, with affected applications reaching over 11 million devices.
Malware Hidden in Popular Apps
The latest iteration of the Necro Trojan has been detected in modified versions of well-known applications, such as Spotify and Minecraft. Notably, a Spotify mod named Spotify Plus, which was downloaded from unofficial sources, has been flagged for harboring malicious code. This mod misleadingly claimed to offer enhanced features and safety certifications, but instead initiated a complex malware operation.
One of the compromised applications, the Wuta Camera, had amassed over 10 million downloads on Google Play. Following the detection of the malware, Google promptly removed the infected version. However, many users had already downloaded the compromised versions prior to this discovery, illustrating the Trojan’s capacity to spread undetected.
Advanced Obfuscation Techniques
The Necro Trojan employs advanced techniques to elude detection. Utilizing obfuscation and steganography, the malware conceals its payload within app files, complicating the identification process for security tools. By embedding itself in PNG image files, it remains hidden in plain sight, waiting for instructions from its command-and-control (C2) servers.
Once activated, the Trojan can execute a range of harmful actions, including displaying ads in invisible windows, downloading and executing files, opening arbitrary links, and even subscribing users to paid services without their consent. Additionally, the Trojan exploits the victim’s device to create tunnels, allowing cybercriminals to conduct malicious activities discreetly.
Necro’s Spread and Evolution
The distribution of the Necro Trojan extends beyond Google Play. Researchers have uncovered multiple infected mods on unofficial websites, including altered versions of WhatsApp. These compromised applications exhibit similar malicious behavior, such as the ability to download and execute secondary payloads from C2 servers.
Interestingly, the latest versions of Necro leverage Google’s Firebase Remote Config service to store and retrieve malicious files, adding another layer of complexity to the malware’s operations. The use of random number generation to determine when the malware executes its payload further complicates detection efforts.
A Growing Threat
The ability of Necro to infiltrate both official and unofficial app sources highlights the increasing sophistication of malware targeting Android users. By utilizing trusted platforms like Google Play, the Trojan’s authors have managed to exploit popular applications, placing millions of users at risk.
While Google Play has taken measures to remove infected applications, the presence of malware in widely used apps serves as a reminder of the importance of user vigilance. Android users are encouraged to refrain from downloading apps from unofficial sources and to ensure their devices are equipped with up-to-date security solutions.
The Necro Trojan continues to evolve, employing increasingly complex methods to deliver its payload. As it adapts, cybersecurity experts must devise new strategies to counter this growing threat.