Necro Trojan
In 2019, cybersecurity researchers uncovered a troubling issue: a legitimate Android application on the Google Play Store had been compromised by a third-party library used by developers to generate advertising revenue. This modification resulted in 100 million devices becoming connected to servers controlled by attackers, which then deployed hidden payloads.
A similar situation has now resurfaced. Infosec experts have identified two new applications, downloaded 11 million times from Google Play, that are infected by the same malware family. It appears that an unsafe software development kit used to integrate advertising features is once again to blame.
Table of Contents
What is an SDK?
Software development kits, or SDKs, offer developers pre-built frameworks that simplify and accelerate the application creation process by handling routine tasks. In this case, an unverified SDK module, seemingly designed to support ad display, was integrated into the applications. However, beneath the surface, it enabled advanced methods for covertly communicating with compromised servers. This allowed the applications to upload user data and download harmful code, which could be executed or updated at any time.
How the Necro Trojans Infect Devices?
The malware family behind both campaigns is called Necro, and in this instance, some variants employ advanced techniques like steganography—a rare obfuscation method in mobile threats. Certain variants also use sophisticated methods to deliver fraudulent code capable of operating with elevated system privileges. Once a device is infected, it communicates with an attacker-controlled Command-and-Control server. It sends encrypted JSON data that reports details about the compromised device and the application hosting the fraudulent module.
The server then responds with a JSON message that includes a link to a PNG image and metadata containing the image’s hash. If the module on the infected device verifies the hash, it proceeds to download the image.
Researchers explained that the SDK module uses a simple steganographic algorithm. Upon passing the MD5 check, it extracts the contents of the PNG file, specifically the pixel values from the ARGB channels, using standard Android tools. The getPixel method retrieves a value where the least significant byte contains the blue channel of the image, and the malware begins its processing from there.
The Necro Trojan could Lead to Severe Consequences
Follow-on payloads installed by the malware download fraudulent plugins that can be customized for each infected device to perform various actions. One such plugin allows code to execute with elevated system privileges. Normally, Android restricts privileged processes from using WebView—a component for displaying Web pages within applications. To overcome this restriction, Necro employs a technique known as a reflection attack to create a separate occurrence of the WebView factory.
Additionally, this plugin can download and execute other files that modify links displayed through WebView. With elevated system rights, these executables can alter URLs to insert confirmation codes for paid subscriptions and download and run code from attacker-controlled links. Researchers identified five distinct payloads during their analysis of Necro. In addition, the modular structure of Necro provides numerous ways for the malware to operate.
The Necro Trojan was Found in Two Applications
Researchers identified Necro in two applications on Google Play. One of them, Wuta Camera, has garnered 10 million downloads. Versions 6.3.2.148 through 6.3.6.148 of Wuta Camera contained the malicious SDK responsible for the infections, but the application has since been updated to eliminate the harmful component. Another application, Max Browser, with approximately 1 million downloads, was also compromised; however, it is no longer available on Google Play.
In addition, the researchers discovered Necro infecting a range of Android applications offered in alternative marketplaces. These applications are typically presented as modified versions of legitimate applications, including Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer and Melon Sandbox.
