Kaspersky discovered a new Necro Trojan variant that infiltrated popular apps like Spotify, WhatsApp, and Minecraft on both Google Play and unofficial platforms, targeting users in multiple countries. The Trojan can execute malicious tasks such as installing apps, opening hidden links, and redirecting internet traffic, posing significant risks to users.
27 September 2024 – In late August 2024, cybersecurity experts at Kaspersky uncovered a new variant of the Necro Trojan, which had infiltrated various popular applications on both official and unofficial platforms, including modified versions of Spotify, WhatsApp, and Minecraft. Necro, an Android downloader, enables cybercriminals to install additional malicious components on infected devices by executing commands from its creators. This recent campaign has predominantly targeted users in countries such as Russia, Brazil, Vietnam, Ecuador, and Mexico.
The latest variant of the Necro Trojan comes equipped with enhanced capabilities. Once installed on a smartphone, it can display invisible ads, automatically click on them, download executable files, install unauthorized apps, and open hidden WebView windows to execute JavaScript. Moreover, it can potentially subscribe users to paid services without their knowledge. Additionally, Necro can redirect internet traffic from compromised devices, allowing attackers to access restricted websites or use the device as part of a proxy botnet.
Initially detected in a modified version of Spotify Plus, Necro was also found embedded in unofficial versions of WhatsApp and popular mobile games such as Minecraft, Stumble Guys, and Car Parking Multiplayer. These apps, sourced from third-party platforms, carried the malicious software via an unverified ad module.
Kaspersky researchers also identified Necro on official platforms like Google Play. Malicious code was discovered in apps like Wuta Camera and Max Browser, which together have exceeded 11 million downloads. Though the malicious code was removed following Kaspersky’s report, the risk remains on unofficial platforms.
“Cybercriminals often exploit users’ tendency to download modified apps from unofficial sources, where there is no oversight or moderation,” said Dmitry Kalinin, a cybersecurity expert at Kaspersky. “This particular version of Necro used a sophisticated technique, embedding its payload within images to evade detection — a rare method for mobile malware.”
Kaspersky’s solutions effectively protect against this Trojan, identifying the downloader as Trojan-Downloader.AndroidOS.Necro.f and Trojan-Downloader.AndroidOS.Necro.h, with associated malicious components recognized as Trojan.AndroidOS.Necro.