Necro Trojan resurfaces on Android, infects 11 million devices via popular apps

The latest version has new features and infiltration methods

Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.

Why it matters: A resurrected Necro Trojan has infected 11 million devices so far. It's another example of the never-ending threat of mobile malware and the importance of being vigilant when downloading and using mobile applications. With Necro on the prowl, users should be particularly wary of modified versions of popular apps and always verify the source and permissions of any application before installation.

In 2019, security experts discovered a legitimate-looking Android app on the Google Play Store that had been covertly compromised by an ad library used by its developers. This malicious code resulted in 100 million devices being infected.

Five years later, the malware is back, Kaspersky reports. So far, this new version of the Necro Trojan has affected approximately 11 million Android users worldwide, having evolved with new features and infiltration methods that have made it more versatile, harder to detect, and potentially more dangerous than its predecessor.

The malware primarily spreads through unverified ad integration tools used by app developers, unofficial app sources, and modded versions of popular applications, and, in the case of Wuta Camera and Max Browser, the Google Play Store.

This version has several key differences compared with the original. It uses obfuscation techniques to avoid detection and its malicious payload is hidden within seemingly harmless PNG images. Additionally, various malicious modules can be mixed and matched for different actions on infected devices.

// Related Stories

• Scientists trick cancer cells into self-destructing through genetic editing
• Android apps can now block usage if sideloading is detected

While the original version infiltrated apps through an unverified ad integration tool, the new version is believed to exploit a malicious software developer kit for ad integration. Also, the Necro Trojan has successfully infiltrated several apps on Google Play this time around.

It has been found in Wuta Camera, with 10 million downloads on Google Play, Max Browser, with 1 million downloads on Google Play, modded versions of Spotify, and unofficial mods for WhatsApp, Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. In 2019, Kaspersky discovered it in CamScanner, a text recognition app that had clocked up over 100 million downloads on Google Play.

Once deployed, Necro has several nasty capabilities, including downloading and running DEX files, installing additional apps, and tunneling through the victim's device to allow attackers to route malicious traffic or bypass network security. It can also take out paid subscriptions, interact with ads in invisible windows to generate fraudulent ad revenue for the attackers, and open arbitrary links to run JavaScript code. It uploads user data to attacker-controlled servers and downloads malicious code with elevated system rights.

Protecting against Necro requires some common-sense precautions. Don't download apps from unofficial sources and be cautious even with apps from official platforms. Also, avoid modded or hacked versions of apps. Finally, it always pays to use reputable mobile security software.