Security Advisory

11 Million Affected: Widespread of the Necro Trojan in Android Apps

Overview

In September 2024, Kaspersky reported a widespread attack involving the Necro Trojan, which has potentially infected around 11 million Android devices globally. This sophisticated malware primarily targets users downloading modified versions of popular applications such as Spotify, WhatsApp, and Minecraft, as well as certain apps available on Google Play.

Necro Trojan

The Necro Trojan is a type of malware that acts as a loader, meaning it can download and execute additional malicious components once it infiltrates a device. Initially discovered in 2019, the Trojan has evolved, integrating advanced features that enhance its evasion techniques and capabilities. The Trojan cleverly hides its malicious payload within seemingly innocuous images, making it difficult to detect using traditional security methods. This technique allows the malware to bypass standard security checks.

Once activated, the Necro loader can:

  • Download and execute DEX files, which are compiled Android code.
  • Install additional malicious applications on the device without user consent.
  • Intercept sensitive information and transmit it to a command and control (C2) server operated by the attackers.
  • Display and interact with advertisements in invisible windows, potentially generating revenue for the attackers.
  • Open arbitrary links and execute JavaScript code, which can further compromise user security.

Affected Applications

The Necro Trojan has been found embedded in various applications, both from unofficial sources and Google Play.

  • “Spotify Plus” which is marketed as a free, premium version, it contained the Necro Trojan within its code. Users were enticed to download it from unofficial sources, unknowingly risking their devices.
  • Wuta Camera, which is the popular photo editing app was infected in version 6.3.2.148.
  • Max Browser in version 1.2.0.
  • Mods for WhatsApp and popular games like Minecraft, Stumble Guys, Car Parking Multiplayer etc have also been identified as carriers of the Necro loader.

Remediation

To effectively guard against the Necro Trojan and similar threats, users are advised to take the following actions

  • Wuta Camera, upgrade to version 6.3.7.138 or latest version immediately.
  • Ensure all apps are updated to the latest versions.

General Recommendations

  • Avoid unofficial sources for downloading any software.
  • Implement mobile security solutions that provide real-time and regular scanning to detect and neutralize threats.
  • Before downloading an app, review its ratings and feedback—watch for suspiciously high ratings and consider low-rated reviews for potential issues.
  • Always stay updated on emerging vulnerabilities & threats.

References

  • https://securelist.com/necro-trojan-is-back-on-google-play/113881/
Scroll to top