Necro Trojan infiltrates Google Play and Spotify and WhatsApp mods

In the realm of mobile applications, the allure of modified versions often tempts users seeking enhanced features or customization. However, this quest for personalization can lead to unforeseen risks, particularly when these modifications harbor malicious software. Recent investigations have unveiled a resurgence of the Necro Trojan, a sophisticated malware that has infiltrated both popular apps and their unofficial counterparts.

How Necro spreads

Necro loader inside a Spotify mod

In late August 2024, a Spotify mod known as Spotify Plus caught our attention. This version, available for download on various unofficial sites, claimed to offer a plethora of features absent in the official app. To assess its safety, we conducted a thorough analysis of the latest version. Our findings revealed that the mod incorporated a custom Application subclass that initialized an SDK named adsrun, designed to integrate multiple advertising modules. Upon activation, this SDK communicated with a command-and-control server, transmitting encrypted data regarding the compromised device.

The server’s response included an error code indicating successful execution, along with a link to download a PNG file containing a hidden payload. This file, intriguingly named “shellP,” suggested a concealed functionality within its pixel values. The process of extracting this payload employed a straightforward steganographic technique, ultimately leading to the execution of malicious code.

Our telemetry search revealed that the Necro loader had also embedded itself within legitimate applications available on Google Play, impacting a user base exceeding 11 million Android devices. Notable examples include the Wuta Camera app, which had been downloaded over 10 million times. The Necro loader was detected starting from version 6.3.2.148, and upon reporting the malicious code, Google promptly removed it from subsequent updates.

Similarly, the Max Browser app, with over a million installations, was found to contain the Necro loader from version 1.2.0 onwards. Following our notification, Google took action to remove the infected version from their platform.

WhatsApp mods with the Necro loader

In addition to mainstream applications, we identified WhatsApp mods circulating in unofficial channels that harbored the Necro loader. These applications exhibited a unique operational pattern, utilizing Google’s Firebase Remote Config as a command-and-control mechanism. The malicious code demonstrated a high probability of execution, contingent upon specific conditions being met during runtime.

Other infected applications

Our investigation did not end there; we also uncovered infected game mods, including popular titles such as:

  • Minecraft
  • Stumble Guys
  • Car Parking Multiplayer
  • Melon Sandbox

The breadth of infected applications across various platforms underscores the necessity for vigilance in app sourcing. Our security solutions have successfully identified and flagged these threats, reinforcing the importance of using trusted sources for application downloads.

The Necro lifecycle in the wild: how the payload works

Through rigorous analysis, we obtained several payload samples executed by the Necro loader. These payloads exhibited characteristics consistent with the Necro family, including interactions with known command-and-control domains. The modular architecture of the malware allows for flexible updates and the introduction of new malicious modules, adapting to the evolving landscape of mobile threats.

Plugin encryption and loading

The plugin loading mechanism supports various decryption methods, enabling the malware to adapt its approach based on the specific payload. This adaptability is a hallmark of the Necro Trojan, which can download and execute different iterations of itself, thereby enhancing its persistence and evasion capabilities.

Types of plugins

Our analysis of telemetry data revealed several Necro modules, each serving distinct functions, from creating network tunnels to displaying intrusive advertisements. The diversity of these plugins indicates a well-structured approach to malware deployment, allowing the attackers to achieve their objectives effectively.

As the Necro Trojan continues to evolve, it poses a significant threat to users worldwide. The combination of sophisticated evasion techniques, modular architecture, and widespread distribution through both official and unofficial channels necessitates a proactive approach to mobile security.

Victims

With over 11 million downloads of the infected applications reported on Google Play, the actual number of compromised devices could be substantially higher. Our security solutions have thwarted thousands of Necro attacks globally, with notable concentrations in regions such as Russia, Brazil, and Vietnam. This highlights the urgent need for users to remain vigilant and prioritize security in their mobile app choices.

AppWizard
Necro Trojan infiltrates Google Play and Spotify and WhatsApp mods