In late August 2024, Kaspersky experts identified a new version of the Necro Trojan that had infiltrated several popular applications on Google Play and modified applications on unofficial platforms, including Spotify, WhatsApp and Minecraft. Necro is an Android downloader that downloads and runs other malicious components on infected devices based on commands issued by the Trojan's creators. Kaspersky’s solutions recorded* Necro attacks targeting users in Russia, Brazil, Vietnam, Ecuador, and Mexico as part of this malicious campaign.
Capabilities of the Necro Trojan
The variant of Necro discovered by Kaspersky experts can download modules onto
infected smartphones that display ads in invisible windows and click on them,
download executable files, install third-party applications, and open arbitrary
links in invisible WebView windows to execute JavaScript code. Based on its
technical characteristics, the Trojan is also likely capable of subscribing
users to paid services. Additionally, the downloaded modules allow attackers to
redirect internet traffic through the victim's device. This enables
cybercriminals to visit prohibited or desired resources using the victim's
device, potentially utilizing it as part of a proxy botnet.
Infected Apps on Unofficial Platforms
The first discovery of Necro by company’s experts was in a modified version of
Spotify Plus. The creators of the app claimed that it was safe for devices and
offered additional features not found in the official music streaming app.
Subsequently, experts also found a modified version of WhatsApp containing the
Necro downloader, followed by infected versions of popular games, including
Minecraft, Stumble Guys, and Car Parking Multiplayer. Necro was embedded into
these applications via an unverified ad module.
Infected Apps on Google Play
The Necro campaign extended beyond third-party platforms and was also
discovered on Google Play. The malicious downloader was found in the Wuta
Camera app and Max Browser. According to Google Play statistics, the combined
downloads of these apps exceeded 11 million. On this platform, Necro was also
distributed via an unverified ad module. Following Kaspersky Lab’s report to
Google, the malicious code was removed from Wuta Camera, and Max Browser was
taken down from the store. However, users still risk encountering Necro on
unofficial platforms.
“Users often download unofficial, modified apps to bypass restrictions in
official applications or to access additional free features. Cybercriminals
exploit this behavior, spreading malware with these apps as there is no
moderation on third-party platforms,” comments Dmitry Kalinin,
cybersecurity expert at Kaspersky. “It is also noteworthy that the version
of Necro embedded in these applications used steganography techniques, hiding
its payload within images to remain undetected – a very rare method for mobile
malware.”
Kaspersky’s security solutions protect against Necro and detect the downloader
as Trojan-Downloader.AndroidOS.Necro.f and Trojan-Downloader.AndroidOS.Necro.h,
with the malicious components identified as Trojan.AndroidOS.Necro.
To learn more about Necro Trojan, visit Securelist.com.
To protect against this and other Android cyber threats, Kaspersky experts also recommend:
- Download apps only from official sources;
- Regularly update their operating system and installed applications;
- Use a reliable security solution from a trusted manufacturer whose products are verified by independent test labs, such as Kaspersky Premium.
** Data based on anonymized statistics of Kaspersky solutions for August 26 - September 15, 2024.