Kaspersky identified a new version of the Necro Trojan that had infiltrated several popular applications on Google Play and modified applications on unofficial platforms.
Necro is an Android downloader that downloads and runs other malicious components on infected devices. An example of malicious components is the ability to display ads in hidden windows or install apps. The Trojan is also capable of subscribing users to paid services and redirecting internet traffic through the victim’s device, potentially turning it into a proxy botnet for cybercriminals.
“Users often download unofficial, modified apps to bypass restrictions in official applications or to access additional free features. Cybercriminals exploit this behavior, spreading malware with these apps as there is no moderation on third-party platforms,” comments Dmitry Kalinin, cybersecurity expert at Kaspersky.
Based on anonymized statistics of Kaspersky’s solutions from August 26 to September 15, Necro attacks target users in Russia, Brazil, Vietnam, Ecuador, and Mexico as part of this malicious campaign.
Kaspersky experts discovered the Trojan in a modified version of Spotify Plus. They also found it in a modified version of WhatsApp, followed by infected versions of popular games, including Minecraft, Stumble Guys, and Car Parking Multiplayer. Necro was embedded into these applications via an unverified ad module.
Other infected apps include ones in Google Play, such as the Wuta Camera app and Max Browser, which have combined downloads of over 11 million. Fortunately, the malicious code was removed from Wuta Camera, and Max Browser was taken down from the store after the Kaspersky Lab’s report to Google. However, users still risk encountering Necro on unofficial platforms.
To protect against this and other Android cyber threats, Kaspersky experts also recommend:
- Download apps only from official sources;
- Regularly update their operating system and installed applications;
- Use a reliable security solution from a trusted manufacturer whose products are verified by independent test labs, such as Kaspersky Premium.
Kaspersky’s security solutions protect against Necro and detect the downloader as Trojan-Downloader.AndroidOS.Necro.f and Trojan-Downloader.AndroidOS.Necro.h, with the malicious components identified as Trojan.AndroidOS.Necro. To learn more about this Trojan, visit Securelist.com.
Leave a comment