Necro Trojan Hacks 11 Million Android Devices Using Stealthy Steganography

The recent Necro Trojan variant has infected a wide range of popular applications, including both official and unofficial versions, by employing obfuscation and steganography techniques to evade detection. 

Once executed, it can perform malicious activities like displaying invisible ads, downloading and executing arbitrary files, and installing applications without user knowledge. 

The infected applications have a combined user base of over 11 million Android devices, highlighting the significant potential impact of this malware.

Site containing the Spotify mod

Necro Trojan spreads through disguised app mods like Spotify Plus, where the mod injects a custom SDK (adsrun) that transmits device info to a command-and-control server, which responds with a link to download a malicious image containing a JAR payload hidden with steganography. 

The mod extracts the JAR payload and executes it using a native library, as the research found similar malicious loaders embedded in popular apps on Google Play, including Wuta Camera and Max Browser, which were downloaded millions of times before being taken down. 

Malicious loader in Wuta Camera

Researchers discovered malicious WhatsApp mods containing the Necro downloader (identified by a specific code), which masquerade as legitimate sticker apps and use Firebase Remote Config for communication. The malicious code has a chance (either 84% or 90%) of executing based on a generated random number and the app’s package name. 

Downloaded payloads are not encoded and the next-stage payload is loaded without native code, which was also found in infected game mods and some apps on Google Play, suggesting the use of an untrusted ad integration solution. 

Running the payload

A new Necro payload was confirmed to belong to the Necro family based on similarities in code, configuration structure, and C2 communication. 

According to Secure List, the payload fetches a JSON configuration upon launch, containing server addresses, plugin management settings, and potentially malicious service launch instructions. 

It communicates with the C2 server for updates and plugin download instructions, sending detailed device and app information in return. Downloaded plugins likely provide the malware’s core malicious functionality. 

Sending collected data to PluginServer

Necro Trojan utilizes a modular design with plugins for various functionalities, which are downloaded from C2 servers and decrypted using different methods based on file extensions and embedded instructions. After decryption, plugins are loaded using different class loaders depending on their functionalities. 

Plugins can establish tunnels, display intrusive ads, steal device information, download and execute executables, and update themselves from secondary C2 servers. The modular design allows Necro to be highly adaptable and potentially introduce new malicious features. 

Necro Trojan infection diagram

A multi-stage loader that uses steganography and obfuscation to evade detection has infected tens of thousands of devices worldwide, which was primarily distributed through modified versions of popular apps on unofficial platforms. 

The Trojan’s modular architecture allows its creators to deliver updates or new malicious modules to infected devices. To protect against infection, users should update or delete affected apps, download apps from official sources only, and use a reliable security solution.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here