Emerging Threats in Mobile Security
In a concerning development for mobile security, altered versions of well-known Android applications linked to popular platforms such as Spotify, WhatsApp, and Minecraft have been identified as vehicles for a new iteration of the notorious malware loader, Necro. Kaspersky has reported that some of these malicious applications were available on the Google Play Store, amassing a staggering 11 million downloads collectively.
- Wuta Camera – Nice Shot Always (com.benqu.wuta) – 10+ million downloads
- Max Browser – Private & Security (com.max.browser) – 1+ million downloads
As of now, Max Browser has been removed from the Play Store, while Wuta Camera has undergone an update (version 6.3.7.138) aimed at eliminating the malware. The latest iteration, version 6.3.8.148, was released on September 8, 2024.
The precise method by which these applications were compromised remains unclear, although it is suspected that a rogue software development kit (SDK) designed for integrating advertising capabilities may be to blame. Necro, which should not be confused with a similarly named botnet, was first uncovered by Kaspersky in 2019, hidden within a widely used document scanning app called CamScanner. The developers of CamScanner attributed the issue to an advertisement SDK from a third-party provider, AdHub, which contained a malicious module capable of retrieving subsequent malware from a remote server, effectively acting as a loader.
The latest version of Necro continues this trend, employing advanced obfuscation techniques to evade detection, particularly through the use of steganography to conceal its payloads. According to Kaspersky researcher Dmitry Kalinin, “The downloaded payloads, among other things, could display ads in invisible windows and interact with them, download and execute arbitrary DEX files, install applications it downloaded.” Furthermore, it can “open arbitrary links in invisible WebView windows and execute any JavaScript code in those, run a tunnel through the victim’s device, and potentially subscribe to paid services.”
One of the primary methods of distributing Necro is through modified versions of popular applications and games found on unofficial websites and app stores. Upon installation, these applications initialize a module known as Coral SDK, which sends an HTTP POST request to a remote server. The server then responds with a link to a supposed PNG image file hosted on adoss.spinsok[.]com, from which the SDK extracts the main payload—a Base64-encoded Java archive (JAR) file.
The malicious capabilities of Necro are realized through a series of additional modules, or plugins, downloaded from a command-and-control (C2) server, enabling a wide array of actions on the compromised Android device:
- NProxy: Creates a tunnel through the victim’s device.
- island: Generates a pseudo-random number to determine the interval between intrusive ad displays.
- web: Periodically contacts a C2 server and executes arbitrary code with elevated permissions when loading specific links.
- Cube SDK: A helper module that loads other plugins to manage ads in the background.
- Tap: Downloads arbitrary JavaScript code and a WebView interface from the C2 server responsible for covertly loading and displaying ads.
- Happy SDK/Jar SDK: A module that combines NProxy and web modules with minor variations.
The emergence of Happy SDK suggests that the threat actors behind this campaign may be experimenting with a non-modular version as well. Kalinin noted, “This indicates that Necro is highly adaptable and can download different iterations of itself, perhaps to introduce new features.” Kaspersky’s telemetry data reveals that over ten thousand Necro attacks were thwarted globally between August 26 and September 15, 2024, with Russia, Brazil, Vietnam, Ecuador, Mexico, Taiwan, Spain, Malaysia, Italy, and Turkey being the most affected regions.
“This new version is a multi-stage loader that uses steganography to conceal the second-stage payload, a technique rarely seen in mobile malware, along with obfuscation to avoid detection,” Kalinin explained. “The modular architecture provides the Trojan’s creators with a broad range of options for both mass and targeted delivery of loader updates or new malicious modules, depending on the infected application.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
