Kaspersky reports Necro Trojan sneaks into Google Play with up to 11mln victims
In late August 2024, Kaspersky experts detected a new variant of the Necro Trojan infiltrating several widely used applications on Google Play and modified versions on unofficial platforms, including Spotify, WhatsApp, and Minecraft. Necro functions as an Android downloader, downloading and executing other malicious components on infected devices based on instructions from its creators. Kaspersky’s solutions documented Necro attacks aimed at users in Russia, Brazil, Vietnam, Ecuador, and Mexico as part of this malicious campaign.
The recently discovered Necro variant can download various modules onto compromised smartphones, which can display ads in invisible windows and automatically click on them. It is also capable of downloading executable files, installing third-party applications, and opening arbitrary links in invisible WebView windows to execute JavaScript code. Given its technical characteristics, this Trojan may also subscribe users to paid services without their consent. Moreover, the downloaded modules enable attackers to redirect internet traffic through the victim’s device, allowing cybercriminals to access restricted or desired resources using the victim’s device as part of a proxy botnet.
Kaspersky experts first identified Necro in a modified version of Spotify Plus, which falsely claimed to be safe and offered additional features not available in the official music streaming app. Following this, a modified version of WhatsApp containing the Necro downloader was discovered, along with infected versions of popular games such as Minecraft, Stumble Guys, and Car Parking Multiplayer. The Trojan was embedded into these applications via an unverified ad module.
The Necro campaign extended to Google Play, where the malicious downloader was found in the Wuta Camera app and Max Browser. According to Google Play statistics, these apps had over 11 million combined downloads. On this platform, Necro was also distributed through an unverified ad module. After Kaspersky Lab reported the malicious code, it was removed from Wuta Camera, and Max Browser was taken down from the store. However, users remain at risk of encountering Necro on unofficial platforms.
“Users frequently download unofficial, modified apps to bypass restrictions in official applications or to access additional free features. Cybercriminals exploit this behaviour, spreading malware through these apps as there is no moderation on third-party platforms,” comments Dmitry Kalinin, a cybersecurity expert at Kaspersky. “It’s also significant that the version of Necro embedded in these applications employed steganography techniques, hiding its payload within images to evade detection—a rare method for mobile malware.”
Kaspersky’s security solutions protect Necro, detecting the downloader as a Trojan-Downloader.AndroidOS.Necro.f and Trojan-Downloader.AndroidOS.Necro.h, with the malicious components identified as Trojan.AndroidOS.Necro. To safeguard against this and other Android cyber threats, Kaspersky experts recommend:
- Downloading apps only from official sources
- Regularly updating the operating system and installed applications
- Using a reliable security solution from a trusted manufacturer, such as Kaspersky Premium, which is verified by independent test labs.