In late August 2024, Kaspersky experts identified a new version of the Necro Trojan that had infiltrated several popular applications on Google Play and modified applications on unofficial platforms, including Spotify, WhatsApp and Minecraft. Necro is an Android downloader that downloads and runs other malicious components on infected devices based on commands issued by the Trojan’s creators. Kaspersky’s solutions recorded* Necro attacks targeting users in Russia, Brazil, Vietnam, Ecuador, and Mexico as part of this malicious campaign.
Capabilities of the Necro Trojan
The variant of Necro discovered by Kaspersky experts can download modules onto infected smartphones that display ads in invisible windows and click on them, download executable files, install third-party applications, and open arbitrary links in invisible WebView windows to execute JavaScript code. Based on its technical characteristics, the Trojan is also likely capable of subscribing users to paid services. Additionally, the downloaded modules allow attackers to redirect internet traffic through the victim’s device. This enables cybercriminals to visit prohibited or desired resources using the victim’s device, potentially utilizing it as part of a proxy botnet.
Infected Apps on Unofficial Platforms
The first discovery of Necro by company’s experts was in a modified version of Spotify Plus. The creators of the app claimed that it was safe for devices and offered additional features not found in the official music streaming app. Subsequently, experts also found a modified version of WhatsApp containing the Necro downloader, followed by infected versions of popular games, including Minecraft, Stumble Guys, and Car Parking Multiplayer. Necro was embedded into these applications via an unverified ad module.
Infected Apps on Google Play
The Necro campaign extended beyond third-party platforms and was also discovered on Google Play. The malicious downloader was found in the Wuta Camera app and Max Browser. According to Google Play statistics, the combined downloads of these apps exceeded 11 million. On this platform, Necro was also distributed via an unverified ad module. Following Kaspersky Lab’s report to Google, the malicious code was removed from Wuta Camera, and Max Browser was taken down from the store. However, users still risk encountering Necro on unofficial platforms.