In late August 2024, cybersecurity experts from Kaspersky identified a new variant of the Necro Trojan, an advanced Android malware downloader, which has managed to infiltrate several widely used applications on both Google Play and unofficial platforms. Among the infected applications are popular names such as Spotify, WhatsApp, and Minecraft, posing a significant threat to users across various countries. This malicious campaign, which has primarily affected users in Russia, Brazil, Vietnam, Ecuador, and Mexico, represents a new level of sophistication in mobile cyberattacks.
The Necro Trojan functions as a downloader that fetches and executes other malicious components on compromised devices. Controlled remotely by its creators, the Trojan’s updated capabilities allow it to download modules that engage in various harmful activities. These include displaying ads in invisible windows, performing automatic clicks, installing third-party apps without user consent, and opening links in invisible windows to execute JavaScript code. One of its more troubling features is its likely ability to subscribe users to paid services without their knowledge.
In addition to its ad-clicking capabilities, the Trojan enables attackers to redirect internet traffic through the infected device. This allows cybercriminals to exploit compromised smartphones as proxies to access restricted websites or mask their activities by routing through victims’ devices.
The first detection of Necro by Kaspersky occurred within a modified version of Spotify Plus, an unofficial variant of the popular music streaming app that falsely claimed enhanced features. Following this, other applications such as WhatsApp and a range of popular mobile games including Minecraft, Stumble Guys, and Car Parking Multiplayer were found to be infected. These modified apps, available on third-party platforms lacking security oversight, were bundled with an unverified ad module that concealed the Trojan.
However, the Necro Trojan did not confine itself to unofficial platforms. Kaspersky experts also discovered that it had infiltrated Google Play through applications such as Wuta Camera and Max Browser. Combined, these apps had been downloaded over 11 million times, exposing a large number of users to the Trojan before the malware was reported. After Kaspersky informed Google of the breach, the malicious code was removed from Wuta Camera, and Max Browser was taken down entirely from the Play Store. Despite these actions, the Trojan continues to pose a threat through unofficial app stores.
Necro’s advanced evasion techniques set it apart from other mobile malware. It employs steganography, hiding its malicious payload within images to avoid detection, a rare method for Android-based threats. This technique underscores the growing complexity of mobile malware, challenging conventional detection systems.
Kaspersky’s security solutions are actively protecting users from this variant of Necro, detecting the malware under the designations Trojan-Downloader.AndroidOS.Necro.f and Trojan-Downloader.AndroidOS.Necro.h. To mitigate the risks posed by Necro and similar threats, Kaspersky advises users to only download applications from official app stores, keep their operating systems and apps up to date, and utilize trusted security solutions with proven effectiveness.
For additional information on the Necro Trojan and its evolving threat, users are encouraged to visit Securelist.com.