Google Play once again inadvertently facilitated a major malware campaign. A trojan called Necro has returned and is once again infecting devices.
Kaspersky discovered the Necro trojan in 2019 within an app meant for document scanning. Now this malware has been detected again by the Russian cybersecurity firm. Custom versions of popular apps such as Spotify and Minecraft were infected by Necro. Modified versions of said Android apps appeared to be a legitimate alteration of the software, but contained invisible ads that stealthily loaded malware.
Unseen
The Necro malware’s loader operates stealthily. It uses a clever trick: downloading an image that looks harmless but actually contains hidden code. This code is executed by Android tools as soon as the image’s pixels are loaded. The hackers behind Necro chose to hide their malicious code in the blue color values of the image.
This sneaky method was tucked away in the Coral SDK. This software piggybacks on adsrun, a tool for adding ads to apps. Because users often download these infected apps from unofficial websites, they bypass Google’s safety checks. However: even some approved apps on Google Play used this SDK. That means at least 11 million devices are definitely infected, and the real number is likely much higher. Kaspersky could not pin down the exact figure because many downloads come from third-party sources.
Capabilities
Once installed, Necro can wreak havoc in several ways. It can create invisible windows for other malicious payloads, download DEX files, and run JavaScript code in WebView browsers. Kaspersky warns that this can lead to users unknowingly signing up for paid services.
Google has removed the Play Store apps where Kaspersky found Necro. These included the Wuta camera app and Max Browser, which ironically claimed to focus on privacy and security.
This new version of Necro shows how versatile and dangerous it’s become. Unlike the 2019 variant, it now has a non-modular architecture. Kaspersky’s researchers think this variety makes it easier for the hackers to add new features. Plus, the loader can deploy different versions of the malware.
While the malware mainly targets Russia and Brazil, it’s spread worldwide. In Europe, Spain, Italy, and Germany have been hit hardest, according to Kaspersky’s data.
Also read: BingoMod malware takes control over Android devices