Altered versions of legitimate Android apps associated with Spotify, WhatsApp, and Minecraft have been used to deliver a new version of a known malware loader called Necro.
Kaspersky said some of the malicious apps have also been found on the Google Play Store. They have been cumulatively downloaded 11 million times. They include –
- Wuta Camera – Nice Shot Always (com.benqu.wuta) – 10+ million downloads
- Max Browser-Private & Security (com.max.browser) – 1+ million downloads
As of writing, Max Browser is no longer available for download from the Play Store. Wuta Camera, on the other hand, has been updated (version 6.3.7.138) to remove the malware. The latest version of the app, 6.3.8.148, was released on September 8, 2024.
It’s currently not clear how both the apps were compromised with the malware in the first place, although it’s believed that a rogue software developer kit (SDK) for integrating advertising capabilities is the culprit.
Necro (not to be confused with a botnet of the same name) was first discovered by the Russian cybersecurity company in 2019 when it was hidden within a popular document scanning app called CamScanner.
CamScanner later blamed the issue on an advertisement SDK provided by a third-party named AdHub that it said contained a malicious module to retrieve next-stage malware from a remote server, essentially acting as a loader for all kinds of malware onto victim devices.
The new version of the malware is no different, although it packs in obfuscation techniques to evade detection, particularly leveraging steganography to hide payloads.
“The downloaded payloads, among other things, could display ads in invisible windows and interact with them, download and execute arbitrary DEX files, install applications it downloaded,” Kaspersky researcher Dmitry Kalinin said.
It can also “open arbitrary links in invisible WebView windows and execute any JavaScript code in those, run a tunnel through the victim’s device, and potentially subscribe to paid services.”
One of the prominent delivery vehicles for Necro is modded versions of popular apps and games that are hosted on unofficial sites and app stores. Once downloaded, the apps initialize a module named Coral SDK, which, in turn, sends an HTTP POST request to a remote server.
The server subsequently responds with a link to a purported PNG image file hosted on adoss.spinsok[.]com, following which the SDK proceeds to extract the main payload – a Base64-encoded Java archive (JAR) file – from it.
Necro’s malicious functions are realized through a set of additional modules (aka plugins) that are downloaded from the command-and-control (C2) server, allowing it to perform a wide range of actions on the infected Android device –
- NProxy – Create a tunnel through the victim’s device
- island – Generate a pseudo-random number that’s used as a time interval (in milliseconds) between displays of intrusive ads
- web – Periodically contact a C2 server and execute arbitrary code with elevated permissions when loading specific links
- Cube SDK – A helper module that loads other plugins to handle ads in the background
- Tap – Download arbitrary JavaScript code and a WebView interface from the C2 server that are responsible for covertly loading and viewing ads
- Happy SDK/Jar SDK – A module that combines NProxy and web modules with some minor differences
The discovery of Happy SDK has raised the possibility that the threat actors behind the campaign are experimenting with a non-modular version as well.
“This suggests that Necro is highly adaptable and can download different iterations of itself, perhaps to introduce new features,” Kalinin said.
Telemetry data gathered by Kaspersky shows that it blocked over ten thousand Necro attacks worldwide between August 26 and September 15, 2024, with Russia, Brazil, Vietnam, Ecuador, Mexico, Taiwan, Spain, Malaysia, Italy, and Turkey accounting for the most number of attacks.
“This new version is a multi-stage loader that used steganography to hide the second-stage payload, a very rare technique for mobile malware, as well as obfuscation to evade detection,” Kalinin said.
“The modular architecture gives the Trojan’s creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application.”
