Security researchers at Kaspersky have uncovered a new version of the Necro malware that has infected over 11 million devices through Google Play and unofficial app sources. This sophisticated multi-stage loader employs advanced techniques like steganography and obfuscation to evade detection, highlighting the evolving threats in the mobile landscape.

The Necro Trojan, a familiar adversary in the cybersecurity world, has resurfaced with enhanced capabilities. It infiltrated the Android ecosystem through two primary vectors: legitimate apps on Google Play and modified versions of popular applications distributed through unofficial channels.

On Google Play, two apps were identified as carriers of the Necro loader:

1. Wuta Camera: A photo editing and beautification tool developed by "Benqu," boasting over 10 million downloads. The malware was present from version 6.3.2.148 to 6.3.6.148. While Google has since removed the malicious code in version 6.3.7.138, users who installed earlier versions may still be at risk.
2. Max Browser: Created by "WA message recover-wamr," this web browser had amassed 1 million downloads before its removal from Google Play. Kaspersky reports that the latest version, 1.2.0, still contains the Necro loader, advising users to uninstall it immediately.

The infection mechanism in these legitimate apps involved a malicious advertising software development kit (SDK) named "Coral SDK." This component utilized obfuscation techniques to conceal its activities and employed steganography to download additional payloads disguised as innocent PNG images.

Beyond the official app store, Necro has spread through modified versions of popular applications, commonly known as "mods." These unofficial variants, promising enhanced features or premium access, were distributed through third-party websites. Notable examples include:

• WhatsApp mods: "GBWhatsApp" and "FMWhatsApp," offering improved privacy controls and extended file-sharing capabilities.
• Spotify mod: "Spotify Plus," claiming to provide free access to premium, ad-free services.
• Game mods: Modified versions of Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.

The Necro Trojan's modular architecture allows its creators to deliver targeted updates or new malicious components based on the infected application. This flexibility makes it a versatile threat capable of executing various malicious activities:

• Adware functionality: The "Island" plugin and "Cube SDK" load links through invisible WebView windows, generating fraudulent ad revenue.
• Code execution: "Happy SDK" and "Jar SDK" can download and run arbitrary JavaScript and DEX files.
• Subscription fraud: The "Web" plugin, "Happy SDK," and "Tap" plugin contain mechanisms designed to facilitate unauthorized subscriptions to paid services.
• Proxy functionality: The "NProxy" plugin turns infected devices into proxies for routing malicious traffic.

Kaspersky's telemetry data reveals that between August 26th and September 15th, 2024, their security solutions blocked over 10,000 Necro attacks globally. Russia, Brazil, and Vietnam experienced the highest number of incidents during this period.

Necro Torjan Malware / Kaspersky

The widespread infection and sophisticated techniques employed by Necro underscore the importance of vigilant cybersecurity practices for Android users. To protect against this and similar threats, experts recommend:

1. Installing applications only from official sources like Google Play.
2. Regularly updating apps to ensure you have the latest security patches.
3. Being cautious of modified versions of popular apps, especially those promising premium features for free.
4. Using a reputable mobile security solution to detect and prevent malware infections.

Google has acknowledged the reports about the infected apps and stated that they are investigating the matter. 

frAs this situation continues to evolve, Android users are advised to stay informed about potential threats and take proactive steps to secure their devices.