Altered versions of legitimate Android apps related to Spotify, WhatsApp and Minecraft were used to deliver a new version of a popular malware downloader called Necro.
Kaspersky said some of the malware was also found in the Google Play Store. They have been downloaded 11 million times. They include –
- Wuta Camera – Nice Shot Always (com.benqu.wuta) – Over 10 million downloads
- Max Browser-Private & Security (com.max.browser) – 1+ million downloads
At the time of writing, Max Browser is no longer available for download from the Play Store. Wuta Camera, on the other hand, has been updated (version 6.3.7.138) to remove malware. The latest version of the program, 6.3.8.148, was released on September 8, 2024.
It’s currently unclear how both apps were compromised by the malware, though it’s believed to be due to a fake software developer kit (SDK) for adware integration.
Necro (not to be confused with a botnet of the same name) was first discovered by a Russian cybersecurity company in 2019 when it was hidden in a popular document scanning app called CamScanner.
CamScanner later blame a problem with an advertising SDK provided by a third party called AdHub, which it said contained a malware module to receive the next stage of malware from a remote server, essentially acting as a downloader for all kinds of malware on victim devices.
The new version of the malware is no different, although it uses obfuscation techniques to avoid detection, specifically using steganography to hide payloads.
“The downloaded payloads could, among other things, display and interact with ads in invisible windows, download and run arbitrary DEX files, and install programs they downloaded,” said Kaspersky researcher Dmitry Kalinin.
It can also “open arbitrary links in invisible WebView windows and execute any JavaScript code within them, run a tunnel through the victim’s device, and potentially subscribe to paid services.”
One of Necro’s known means of delivery is modified versions of popular programs and games hosted on unofficial websites and app stores. Once downloaded, the application initializes a module called the Coral SDK, which in turn sends an HTTP POST request to the remote server.
The server then responds with a link to the intended PNG image file located at adoss.spinsok(.)com, after which the SDK proceeds to extract the main payload, a Base64-encoded Java Archive (JAR) file.
Necro’s malicious functions are implemented using a set of additional modules (aka plugins) downloaded from the Command and Control (C2) server, which allows it to perform a wide range of actions on an infected Android device –
- NProxy – Create a tunnel through the victim device
- island – generates a pseudo-random number that is used as the time interval (in milliseconds) between intrusive ads
- web – Periodically contact the C2 server and execute arbitrary elevated code when certain links are loaded
- The Cube SDK is a helper module that loads other plugins to process ads in the background
- Click – Download arbitrary JavaScript code and WebView interface from the C2 server responsible for stealth download and ad viewing
- Happy SDK/Jar SDK – A module that combines NProxy and Web Modules with some minor differences
The discovery of the Happy SDK has raised the possibility that the threat actors behind the campaign are also experimenting with a non-module version.
“This shows that Necro is very adaptive and can download different iterations on its own, possibly to implement new features,” Kalinin said.
Telemetry data collected by Kaspersky shows that between August 26 and September 15, 2024, it blocked more than ten thousand Necro attacks worldwide, with the most in Russia, Brazil, Vietnam, Ecuador, Mexico, Taiwan , Spain, Malaysia, Italy and Turkey. attacked.
“This new version is a multi-stage bootloader that used steganography to hide the second-stage payload, a very rare method for mobile malware, and obfuscation to avoid detection,” Kalinin said.
“The modular architecture gives Trojan creators a wide range of options for both bulk and targeted delivery of bootloader updates or new malicious modules depending on the infected application.”
