Necro malware continues to haunt side-loaders of dodgy Android mods

11M devices exposed to trojan, Kaspersky says

The Necro trojan is once again making a move against Android users, with up to eleven million individuals thought to be exposed to infected apps.

Kaspersky originally unearthed a Necro campaign in 2019, exposing an estimated 100 million devices to the Necro dropper, the main task of which is to install other types of malware onto infected devices.

It's a similar story to many of those related to Android malware – popular apps are either spoofed or so-called mods are advertised that eventually lead to malware infections. Most commonly these are side-loaded onto Android devices, but some of these apps are also made for the Play Store.

One such example is Wuta Camera, a selfie retouching app developed by Shanghai Benqumark Network Technology. According to its Google Play page, which is still up and supporting downloads, the app has been downloaded more than 10 million times. The developer claims it has actually been downloaded closer to 200 million times in the Play Store description.

Another is the Max Browser, which marketed itself as a privacy-focused browser for Android and had more than 1 million downloads, according to the Play Store's metrics.

Google addressed the issues in both Wuta Camera and Max Browser, forcing the former to remove the Necro code in an app update, while the latter was taken off the Play Store entirely.

Kaspersky developer Dmitry Kalinin, who carried out the research, said side-loaded spoofed apps and supposed legitimate modifications for the genuine articles are also a real problem.

Modifications for popular apps like Spotify are rife. Some are useful and some are not. One highlighted by Kalinin claimed to offer premium features for free, something that should always set off alarm bells, but, alas, it seems there is still success to be had here.

WhatsApp is another common target for malicious mods, which is unsurprising given the global popularity of the messaging app. It featured in previous Kaspersky research that found mods laden with spyware and other trojans.

Malicious modders also target apps commonly used by children, such as the popular Minecraft and Stumble Guys games. Such users are less likely to be aware of the threats unverified mods can present – even this reporter was partial to a dodgy COD4 mod or two back in the day – but also have the technical know-how to download and install them.

It's not an ideal combo as far as security is concerned. It also doesn't help that there are legitimate, safe, and useful mods available for apps, making it more difficult to discern which are and aren't trustworthy.

Kaspersky's analysis of the trojan revealed an identical payload configuration structure and payloads consistent with previous versions of the trojan and Necro family of malware.

It's not the most harmful malware in the world – the researchers mentioned nothing of data being exfiltrated, such as private messages or photos.

Its primary payloads that are downloaded to victims' devices are also largely unchanged, focusing mainly on the delivery of intrusive ads and stealing money by charging accounts with fake subscription payments.

That said, Necro doesn't come without any changes. The latest version of the multi-stage trojan exhibits what Kalinin said was "a very rare technique for mobile malware" – using steganography to conceal a payload in the code of a PNG image.

There is a full list of indicators of compromise (IOCs) in Kaspersky's blog, and in terms of avoiding these kinds of infections, it's generally just a good idea to not download anything from dodgy sources. Basic stuff, really.

The Register asked Google to comment given that its Play Store is at the heart of so many Android malware stories, but it didn't respond in time for publication. ®