{"id":23310,"date":"2024-09-23T06:30:52","date_gmt":"2024-09-23T10:30:52","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=23310"},"modified":"2024-09-24T15:26:58","modified_gmt":"2024-09-24T11:26:58","slug":"necro-infects-android-users","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/necro-infects-android-users\/23310\/","title":{"rendered":"How the Necro Trojan attacked 11 million Android users"},"content":{"rendered":"

Here at Kaspersky Daily we\u2019re forever urging<\/a> readers of our blog to be real careful when downloading content to their devices. After all, even Google Play isn\u2019t immune to malware<\/a> \u2014 let alone unofficial sources with mods and hacked versions. For as long as the digital world keeps turning, Trojans will continue to worm their way onto devices that don\u2019t have reliable protection<\/a>.<\/p>\n

Today we tell the story of how 11 million Android users worldwide may have fallen victim to the Necro Trojan. Read on to learn which apps we found it in \u2014 and how to protect yourself.\n<\/p>\n

What is Necro<\/h2>\n

\nOur regular readers may recall reading about Necro when we first wrote<\/a> about it back in 2019. Back then, our experts discovered a Trojan in CamScanner, a text recognition app, which had clocked up over 100 million downloads on Google Play. Now the \u201cnecromancers\u201d have injected new blood into the old Trojan: we found a version richer in features both in popular apps on Google Play and in various app mods on unofficial sites. Most likely, the developers of these apps used an unverified ad integration tool through which Necro infiltrated the code.<\/p>\n

Today\u2019s Necro is a loader<\/a> obfuscated<\/a> to avoid detection (but that didn\u2019t stop us from finding it). It downloads the malicious payload in no less a crafty way using steganography<\/a> to hide its code in a seemingly harmless image.<\/p>\n

And downloaded malicious modules are able to load and run any DEX<\/a> files (compiled code written for Android), install downloaded apps, tunnel through the victim\u2019s device, and even \u2014 potentially \u2014 take out paid subscriptions. In addition, they can display and interact with ads in invisible windows, as well as open arbitrary links and run any JavaScript code.<\/p>\n

Read more about how Necro is designed and how it operates on our Securelist blog<\/a>.\n<\/p>\n

Where Necro hides<\/h2>\n

\nWe found traces of the malware in a user-modded version of Spotify, in the photo editing app Wuta Camera, in Max Browser, and in mods for both WhatsApp and popular games (including Minecraft).\n<\/p>\n

In modded Spotify<\/h3>\n

\nAt the very start of our investigation, our eye was caught by an unusual modification of the Spotify Plus app. Users were invited to download a new version of their favorite app from an unofficial source \u2014 for free and with an unlocked subscription offering unlimited listening, both online and off. The nice green Download Spotify MOD APK<\/em> button looks so tempting, right? Stop! It\u2019s malware. Never mind the Security Verified<\/em> and Official Certification<\/em> guarantees; this app will wreak havoc.<\/p>\n

\"Well<\/a>

Well I never, all versions are viewable. Could Necro or other Trojans be lurking there too?<\/p><\/div>\n

When this app was launched, the Trojan sent information about the infected device to the attackers\u2019 C2 server, and in response got a link to download a PNG image. The malicious payload was hidden<\/a> in this image by means of steganography.\n<\/p>\n

In apps on Google Play<\/h3>\n

\nWhile the Spotify mod was distributed through unofficial channels, the Necro-infected Wuta Camera found its way onto Google Play, from where the app was downloaded more than 10 million times. According to our data, the Necro loader penetrated version 6.3.2.148 of Wuta Camera, with clean versions starting from 6.3.7.138. So, if your version is lower than that, you need to update immediately.<\/p>\n

\"The<\/a>

The impressive download count and decent ratings masked a Trojan<\/p><\/div>\n

Max Browser\u2019s audience is much smaller \u2014 just one million users. Necro infiltrated its app code in version 1.2.0. The app was removed from Google Play following our notification, but it\u2019s still available on third-party resources. These, of course, should be trusted even less, since trojanized versions of the browser may still live there.\n<\/p>\n

In mods for WhatsApp, Minecraft, and other popular apps<\/h3>\n

\nAlternative messenger clients usually boast more features than their official cousins. But you should treat all mods, be they on Google Play or a third-party site, as suspicious<\/a>, for they often come bundled with Trojans<\/a>.<\/p>\n

For instance, we found mods for WhatsApp with the Necro loader being distributed from unofficial sources, as well as mods for Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. And this selection sure isn\u2019t random \u2014 attackers always target the most popular games and apps<\/a>.\n<\/p>\n

How to guard against Necro<\/h2>\n

\nFirst of all, we strongly advise against downloading apps from unofficial sources<\/a> because the risk of device infection is extremely high. Secondly, apps on Google Play and other official platforms should also be treated with a healthy dose of skepticism. Even a popular app like Wuta Camera, with 10 million downloads, proved powerless in the face of Necro.\n<\/p>\n