Several legitimate Android apps, including popular ones like Spotify, WhatsApp, and Minecraft, have been altered to deliver a new variant of the Necro malware loader, according to cybersecurity firm Kaspersky. This new strain has been found in malicious versions of legitimate apps, some of which were available on the Google Play Store, with a cumulative download count of over 11 million.
The infected apps include:
As of now, Max Browser has been removed from the Play Store, while Wuta Camera has been updated (version 6.3.7.138) to remove the malware. A subsequent version, 6.3.8.148, was released on September 8, 2024.
The exact method of compromise for these apps remains unclear, but a rogue software development kit (SDK) intended for integrating advertising capabilities is suspected to be the culprit.
Necro Malware: A Persistent Threat
Necro, a malware loader initially discovered by Kaspersky in 2019, has resurfaced with new capabilities. The malware was originally hidden in a popular document scanning app called CamScanner, which later attributed the infection to an advertisement SDK provided by a third-party, AdHub. The SDK contained a malicious module that retrieved additional malware from a remote server, acting as a loader for various types of malware on victim devices.
The new version of Necro exhibits similar behavior but employs advanced obfuscation techniques to evade detection. It utilizes steganography to conceal its payloads, a rare tactic for mobile malware.
How Necro Works
Once installed, the malicious apps activate a module named Coral SDK, which initiates communication with a remote server. This server sends a link to a PNG image hosted on adoss.spinsok[.]com, which, upon extraction, reveals the primary payload – a Base64-encoded Java archive (JAR) file.
The malware's capabilities include:
Modular Architecture for Maximum Impact
Necro's modular architecture allows it to perform a variety of functions depending on the modules it downloads from the command-and-control (C2) server. These modules include:
The recent discovery of the Happy SDK suggests that the threat actors are experimenting with a non-modular version of Necro, potentially adding new features or simplifying its deployment.
Global Reach and Impact
Kaspersky's telemetry data indicates that it blocked over ten thousand Necro attacks worldwide between August 26 and September 15, 2024. The countries most affected include:
"This new version is a multi-stage loader that uses steganography to hide the second-stage payload, a very rare technique for mobile malware, as well as obfuscation to evade detection," said Dmitry Kalinin, a researcher at Kaspersky. "The modular architecture gives the Trojan's creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application."
Protecting Against Mobile Malware
To protect against threats like Necro, users should:
As mobile malware becomes increasingly sophisticated, users and organizations must remain vigilant and proactive in their security measures to safeguard their devices and data.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067