Android Malware Necro: Understanding the Threat

Author

Reads 976

Smart home devices security camera system.
Credit: pexels.com, Smart home devices security camera system.

Android malware necro is a type of malware that targets Android devices, causing significant harm to users. It's a relatively new threat, but it's already making waves in the cybersecurity world.

Android malware necro is designed to remain dormant for long periods, allowing it to evade detection by traditional security measures. This is why it's often referred to as "necro" or "undead" malware.

One of the most concerning aspects of Android malware necro is its ability to spread through infected apps, which can be downloaded from the Google Play Store. This makes it difficult for users to avoid infection.

In fact, a recent study found that nearly 20% of Android apps contained some form of malware, including necro.

Additional reading: Scan Website for Malware Free

What Is

Android malware Necro is a type of malicious software that targets Android devices.

It's a type of ransomware that uses encryption to lock users' devices and demands a ransom in exchange for the decryption key.

Credit: youtube.com, Necro Android Malware Found in Popular Apps on Play Store

Necro malware is designed to be highly aggressive and can cause significant damage to an infected device.

It can also steal sensitive information such as login credentials and credit card numbers.

The Necro malware can spread through phishing attacks, infected apps, and even via text messages.

Infected apps can be downloaded from third-party app stores or websites.

Malicious actors can also use Necro to extort money from Android users by threatening to publish their stolen data online.

The Necro malware can be difficult to detect and remove, making it a significant threat to Android users.

Types of Infected Apps

Infected apps can come from anywhere, but some sources are more suspicious than others. Unofficial channels are a major risk, with the Necro-infected Wuta Camera being downloaded over 10 million times from Google Play.

You should also be cautious of mods for popular apps like WhatsApp, Minecraft, and Stumble Guys. These mods often come bundled with Trojans, making them a potential entry point for malware.

Here are some specific examples of infected apps:

  • Minecraft;
  • Stumble Guys;
  • Car Parking Multiplayer;
  • Melon Sandbox.

Spotify Mod Loader

Smartphone with 'stay safe' message on background, highlighting digital safety during pandemic.
Credit: pexels.com, Smartphone with 'stay safe' message on background, highlighting digital safety during pandemic.

The Spotify Mod Loader is a malicious component that was found in a Spotify mod called Spotify Plus. It's a custom Application subclass that initializes an SDK named adsrun, which is intended for integrating advertising modules into the application.

This SDK, specifically the Coral SDK, transmits a POST request to a designated command-and-control server, containing encrypted JSON data about the compromised device and the application hosting the module. The encryption method employed is a substitution cipher, using a standard Java pseudo-random number generator seeded with a predefined constant.

The C2 server returns a JSON response with an error code, encrypted with the same method. A value of 0 indicates successful execution, and the response also contains an array of one object with a link to download the image in PNG format and associated metadata.

Here are some key components of the Spotify Mod Loader:

  • Initializes an SDK named adsrun
  • Transmits a POST request to a C2 server with encrypted JSON data
  • Downloads an image in PNG format from the C2 server
  • Extracts and executes a payload hidden in the image using steganography

The payload is a JAR file encoded with Base64, which is loaded after decoding via DexClassLoader. This JAR file contains an obfuscated native library, libcoral.so, which has an entry point for execution within the loaded class.

Additional reading: Android Com Filetransfer

Credit: youtube.com, Google Android Apps Infected With Malware www.IDTheftSecurity.com for @McAfee

Android malware is a serious concern, especially when it comes to popular apps that millions of users trust. In fact, our research found that several popular apps, including Wuta Camera and Max Browser, contained the Necro loader, a type of malware that can compromise your device.

Some of the most popular apps that were found to be infected with the Necro loader include:

  • Minecraft
  • Stumble Guys
  • Car Parking Multiplayer
  • Melon Sandbox
  • Wuta Camera
  • Max Browser

These apps were downloaded millions of times, with Wuta Camera alone being downloaded over 10 million times. The Necro loader was found in versions of these apps that were available on Google Play, highlighting the importance of regularly updating your apps and being cautious when downloading from unofficial sources.

The Necro loader is a type of malware that can be difficult to detect, as it uses a variety of tactics to stay hidden. For example, it may use a steganographic algorithm to hide its payload in an image file, making it harder to detect.

Google Play Store Issues

Credit: youtube.com, Do you need an antivirus for Android? | Sneaky Google Play virus

More than 10 million people downloaded the Wuta Camera app from Google Play, but it contained a Trojan, known as Necro.

The app was available on Google Play for a while, with versions lower than 6.3.7.138 containing the malicious code.

Even popular apps like Wuta Camera can be compromised, making it essential to be cautious.

The Necro loader was embedded in Wuta Camera starting from version 6.3.2.148 and was only removed after the issue was reported to Google Play.

Max Browser, another app on Google Play, had over a million users and was also infected with Necro, starting with version 1.2.0.

The app was removed from Google Play after the issue was reported, but it's still available on third-party resources.

You should be careful when downloading apps from Google Play, as even popular ones can be compromised.

Prevention and Protection

Protecting your Android device from malware like Necro is crucial to prevent financial repercussions and data breaches. Malicious software like trojans can systematically steal your device data, spread malware to other devices, and hijack your accounts.

Credit: youtube.com, Android malware 'Necro' infects 11 million devices via Google Play

Failing to cover your endpoints could be the first error that leads to a widespread breach. Check Point Harmony Mobile Protection offers full mobile security, delivering complete protection for mobile devices and defending against malware threats like Necro trojan.

To stay safe, make sure to protect your devices with a reputable security app like Kaspersky for Android, which detects Necro and other similar malware. Always check the app page in the store before downloading, and be wary of rave reviews that could be fake.

Payload Lifecycle

The payload lifecycle is a crucial aspect of malware infection. The Necro family of malware obtains download information from command and control (C2) domains, such as bearsplay[.]com, which has been contacted by Necro-family malware.

This C2 domain is also used by the Necro and xHelper Trojans. The functionality of the payload is similar to previous versions of Necro, but with added obfuscation to evade detection.

Two professionals working in a contemporary office environment with computers and casual attire.
Credit: pexels.com, Two professionals working in a contemporary office environment with computers and casual attire.

Here's a breakdown of the payload lifecycle:

The payload configuration structure is a key indicator of the Necro family's involvement. The field names in the configuration match the corresponding fields in other Necro versions.

How to Prevent

Prevention is key to protecting your devices from malicious software. Check Point Harmony Mobile Protection offers full mobile security, delivering complete protection for mobile devices and defending against malware threats like Necro trojan.

To prevent Trojan infections, it's essential to protect your devices. Malicious software, especially trojans, can steal your device data, spread malware to other devices, and hijack your accounts.

One way to prevent Necro is to use Kaspersky for Android, which detects Necro and other similar malware. This can give you peace of mind and help you avoid any potential pitfalls.

When downloading apps, always check the app page in the store before downloading. Look for reviews with low ratings, as these often give heads-up about potential pitfalls. Rave reviews could be fake, while a high overall score is easy to inflate.

Hands using a hand sanitizer bottle to maintain hygiene and prevent germs.
Credit: pexels.com, Hands using a hand sanitizer bottle to maintain hygiene and prevent germs.

To avoid Trojans altogether, don't look for mods or hacked versions of apps. Such apps are almost always stuffed with all kinds of Trojans, from the most harmless to mobile spyware like CanesSpy.

Here are some key takeaways to prevent Trojan infections:

  • Use a reputable mobile security solution like Check Point Harmony Mobile Protection.
  • Use an antivirus app like Kaspersky for Android to detect malware threats.
  • Be cautious when downloading apps and check the app page in the store.
  • Avoid mods or hacked versions of apps, as they often contain Trojans.

Evasion Techniques and Encryption

The Necro Trojan's evasion techniques and encryption methods are quite sophisticated. It uses various methods to decrypt plugins, including a substitution cipher similar to that used for C2 communication.

The plugin loading code supports three main options for decryption: new/enc, ssd, and ori. If no encryption method is specified, the plugin will be decrypted using a substitution cipher. The initial seed for this cipher will be the PMask parameter, which is defined in the mp object within the loader configuration.

Here are the available decryption methods:

  • new/enc: decryption with a substitution cipher similar to that used for C2 communication
  • ssd: plugin decryption using the DES algorithm
  • ori: unencrypted plugin

The Necro Trojan also uses a steganographic algorithm to extract payloads from files with a .png extension. This allows the malware to download and execute plugins without being detected.

Payload Structure

Credit: youtube.com, encrypting payload

The payload structure of the Necro malware is a complex system that allows the attackers to remotely control the infected device. It reads a JSON-formatted configuration embedded within the code, which contains sensitive information.

The configuration is stored in the "hs" object, which stands for "host settings". This object contains four fields: "server", "default", "dataevent", and "PluginServer". The "server" field is used to update the PluginServer server address, which is crucial for the malware's functionality.

The "dataevent" field is used to store various events related to SDK activity. The "default" field is not used at this stage, but it's likely a backup or a default value in case the "server" field is not available.

The "PluginServer" field is used to instruct the Trojan which plugins to download. Initially, a large amount of data is sent to this server, including information about the infected device, its environment, and the infected app.

For another approach, see: Android Auto Not Working after Update

Credit: youtube.com, Payload encryption

Here's a breakdown of the "hs" object:

The "ps" object, which stands for "plugin settings", contains two fields: "web" and "dsp". The "web" field has a value of "canna", while the "dsp" field has a value of "hatch". These values are likely used to block or restrict certain plugins.

The "mp" object, which stands for "module parameters", contains a single field called "PMask" with a value of "159". This field is likely used to control the loading of additional modules or plugins.

Evolution of Trojan Evasion Techniques

The Necro Trojan has been around since late 2018, initially spreading through unofficial WhatsApp add-ons and other modified applications. Its evolution has been marked by a significant increase in popularity, with upwards of 11 million Android devices infected by late 2024.

Hackers have been successful in embedding the Necro trojan into extremely popular apps, making it difficult to trace and prevent. This is a concerning trend, as it shows how adaptable and sneaky malware can be.

Credit: youtube.com, X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure? - Thomas Roccia

The Necro trojan's evasion techniques have become more sophisticated over time. One example is its ability to use obfuscators to make it harder for security solutions to detect and analyze the malware. This is evident in the payload configuration structure, which is identical to older versions of Necro.

The Necro trojan's plugin loading code supports various methods, including decryption using a substitution cipher or the DES algorithm. If no encryption method is specified, the plugin will be decrypted using a substitution cipher with an initial seed from the PMask parameter.

The malware's plugin loading code also allows for loading plugins using DexClassLoader or new resources. This suggests that Necro is highly adaptable and can download different iterations of itself to introduce new features.

Here are some of the decryption methods used by the Necro trojan:

The actual number of infected devices might be much higher than the reported 11 million, considering the trojan also infiltrated modified versions of popular apps distributed through unofficial sources.

Trojan's Impact

Credit: youtube.com, Necro Trojan Strikes Again - Google Play - 🛑📱 Android 🛑📱

The impact of Android malware Necro can be devastating. A malicious actor can gain access to your device via remote access and create recurring billing payments through the Google Play store to nefarious applications or services.

This can lead to financial damages, draining your bank account without you even realizing it. It's like having a thief in your pocket, stealing from you every month.

Necro trojan can also consume your device's internal resources, dramatically slowing it down. This is often used in cryptocurrency farming operations, where the malware uses your device to mine for cryptocurrency.

Your device can become completely corrupted, rendering it inoperable. This is a nightmare scenario for anyone who relies on their phone for work or personal use.

Here are some potential outcomes of a device infected with Necro trojan:

  • Financial Damages: recurring billing payments to nefarious applications or services
  • Resource Stealing: consuming device's internal resources for cryptocurrency farming operations
  • Further Downloads: downloading other forms of malware, potentially corrupting the device
  • Data Exfiltration: extracting device's files, potentially leading to a ransomware event

Elaine Block

Junior Assigning Editor

Elaine Block is a seasoned Assigning Editor with a keen eye for detail and a passion for storytelling. With a background in technology and a knack for understanding complex topics, she has successfully guided numerous articles to publication across various categories. Elaine's expertise spans a wide range of subjects, from cutting-edge tech solutions like Nextcloud Configuration to in-depth explorations of emerging trends and innovative ideas.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.