In late August 2024, Kaspersky experts identified a new version of the Necro Trojan that had infiltrated several popular applications on Google Play and modified applications on unofficial platforms, including Spotify, WhatsApp and Minecraft.
Necro is an Android downloader that downloads and runs other malicious components on infected devices based on commands issued by the Trojan’s creators. Kaspersky’s solutions recorded* Necro attacks targeting users in Russia, Brazil, Vietnam, Ecuador, and Mexico as part of this malicious campaign.
Capabilities of the Necro Trojan
The variant of Necro discovered by Kaspersky experts can download modules onto infected smartphones that display ads in invisible windows and click on them, download executable files, install third-party applications, and open arbitrary links in invisible WebView windows to execute JavaScript code.
Based on its technical characteristics, the Trojan is also likely capable of subscribing users to paid services. Additionally, the downloaded modules allow attackers to redirect Internet traffic through the victim’s device. This enables cybercriminals to visit prohibited or desired resources using the victim’s device, potentially utilising it as part of a proxy botnet.
Infected Apps on Unofficial Platforms
The first discovery of Necro by company’s experts was in a modified version of Spotify Plus. The creators of the app claimed that it was safe for devices and offered additional features not found in the official music streaming app.
Subsequently, experts also found a modified version of WhatsApp containing the Necro downloader, followed by infected versions of popular games, including Minecraft, Stumble Guys, and Car Parking Multiplayer. Necro was embedded into these applications via an unverified ad module.
Infected Apps on Google Play
The Necro campaign extended beyond third-party platforms and was also discovered on Google Play. The malicious downloader was found in the Wuta Camera app and Max Browser.
According to Google Play statistics, the combined downloads of these apps exceeded 11 million. On this platform, Necro was also distributed via an unverified ad module. Following Kaspersky’s report to Google, the malicious code was removed from Wuta Camera, and Max Browser was taken down from the store. However, users still risk encountering Necro on unofficial platforms.
“Users often download unofficial, modified apps to bypass restrictions in official applications or to access additional free features. Cybercriminals exploit this behaviour, spreading malware with these apps as there is no moderation on third-party platforms,” comments Dmitry Kalinin, cybersecurity expert at Kaspersky.
“It is also noteworthy that the version of Necro embedded in these applications used steganography techniques, hiding its payload within images to remain undetected – a very rare method for mobile malware.”
