Detected Necro Android Malware in Popular Camera and Browser Applications on Play Store

Sep 24, 2024Ravie LakshmananMobile Security / Malware

Adjusted versions of authentic Android applications related to Spotify, WhatsApp, and Minecraft have been utilized to distribute a recent iteration of a recognized malware loader called Necro.

Kaspersky mentioned that some of the harmful applications have likewise been detected on the Google Play Store. They have collectively been downloaded 11 million times. These apps are –

• Wuta Camera – Nice Shot Always (com.benqu.wuta) – 10+ million downloads
• Max Browser-Private & Security (com.max.browser) – 1+ million downloads

As of the current moment, Max Browser is no more accessible for download from the Play Store. On the contrary, Wuta Camera has been modified (version 6.3.7.138) to exclude the malware. The most recent edition of the application, 6.3.8.148, was launched on September 8, 2024.

The process of how both apps got compromised with malware initially is presently unclear. However, it is suspected that a rogue software developer kit (SDK) intended for incorporating advertising functions is the cause.

Necro (not to be mistaken with a botnet under the same name) was initially detected by the Russian cybersecurity firm in 2019 when it was concealed within a well-known document scanning application named CamScanner.

CamScanner subsequently attributed the problem to an advertisement SDK provided by a third-party named AdHub, stating that it included a harmful module to obtain next-stage malware from a remote server, effectively performing as a loader for various malware types onto victim devices.

The modern version of the malware is akin, but it integrates concealment techniques to escape identification, particularly employing steganography to mask payloads.

“The acquired payloads, among other functions, could showcase adverts in unseen windows and interact with them, download and activate arbitrary DEX files, establish applications it fetched,” stated Kaspersky researcher Dmitry Kalinin.

It can additionally “open arbitrary links in unseen WebView windows and implement any JavaScript code in those, create a tunnel through the victim’s tool, and potentially subscribe to paid services.”

One of the significant transportation methods for Necro is modified variants of popular applications and games that are hosted on unofficial platforms and app repositories. Once downloaded, the applications commence a unit named Coral SDK, which, in response, dispatches an HTTP POST request to a remote server.

The server then reciprocates with a hyperlink to an alleged PNG image file stored on adoss.spinsok[.]com, after which the SDK, in turn, eliminates the main payload – a Base64-encoded Java archive (JAR) file – from it.

Necro’s malevolent operations are executed through a collection of extra modules (also known as plugins) which are retrieved from the command-and-control (C2) server, enabling it to carry out a broad array of functions on the contaminated Android device –

• NProxy – Establish a tunnel through the victim’s technology
• island – Produce a pseudo-random number used as a time interval (in milliseconds) between displays of invasive adverts
• web – Routinely contact a C2 server and run arbitrary code with elevated permissions when loading specified links
• Cube SDK – An auxiliary module that loads other plugins to handle advertisements in the background
• Tap – Download arbitrary JavaScript code and a WebView interface from the C2 server responsible for discreetly loading and viewing advertisements
• Happy SDK/Jar SDK – A module combining NProxy and web modules with slight differences

The unearthing of the Happy SDK has raised the likelihood that the threat actors behind the scheme are experimenting with a non-modular version as well.

“This suggests that Necro is extremely adaptable and can download various iterations of itself, possibly to introduce new functionalities,” as per Kalinin.

Telemetry info collected by Kaspersky discloses that it thwarted over ten thousand Necro assaults globally between August 26 and September 15, 2024, with Russia, Brazil, Vietnam, Ecuador, Mexico, Taiwan, Spain, Malaysia, Italy, and Turkey taking the lead in the number of assaults.

“This updated version is a multi-stage loader utilizing steganography to conceal the second-stage payload, a highly uncommon method for mobile malware, alongside obfuscation to avoid detection,” as cited by Kalinin.

“The modular design provides the Trojan’s creators with various choices for both general and targeted distribution of loader updates or new malevolent modules, depending on the infected application.”