Security researchers have issued an urgent alert about a new variant of Necro Trojan that has infiltrated over 11 million Android devices through both the official Google Play Store and other unofficial app stores.
The Necro Trojan was also found in unofficial versions of popular apps like Spotify, WhatsApp, and Minecraft, distributed outside the official Google Play Store. These modified apps, often called mods, are tweaked versions of original apps that offer additional features or remove limitations, the cybersecurity company, Kaspersky warned in a statement this week.
The new Necro Trojan variant discovered in August 2024, Kaspersky said, has the ability to download modules (a smaller piece of software that performs a specific function within a larger program) that open ads in invisible windows and click on them. It can also install third-party applications, download executable files, and subscribe users to paid services without their knowledge.
“Necro is an Android downloader that downloads and runs other malicious components on infected devices based on commands issued by the Trojan’s creators. Kaspersky’s solutions recorded* Necro attacks targeting users in Russia, Brazil, Vietnam, Ecuador, and Mexico as part of this malicious campaign,” according to Kaspersky researchers.
What is a Trojan?
A Trojan is a type of malicious software that disguises itself as a legitimate or useful application in order to trick users into downloading and installing it on their devices. Once installed, the Trojan can execute harmful activities in the background, such as stealing personal information, displaying unwanted ads, or even taking control of the device remotely. The name “Trojan” comes from the story of the Trojan Horse, where the hidden attackers entered the city of Troy in a deceptive manner. In the digital world, Trojans operate in much the same way.
The new Necro Trojan variant discovered in August 2024, Kaspersky said, has the ability to download modules (a smaller piece of software that performs a specific function within a larger program) that open ads in invisible windows and click on them. It can also install third-party applications, download executable files, and subscribe users to paid services without their knowledge.
One feature of the Trojan is its ability to redirect internet traffic through infected devices, effectively turning them into proxies that cybercriminals can use for malicious purposes, such as visiting prohibited or desired resources using the victims device, the cybersecurity firm explained.
“The first discovery of Necro by the company’s experts was in a modified version of Spotify Plus. The creators of the app claimed that it was safe for devices and offered additional features not found in the official music streaming app. Subsequently, experts also found a modified version of WhatsApp containing the Necro downloader, followed by infected versions of popular games, including Minecraft, Stumble Guys, and Car Parking Multiplayer. Necro was embedded into these applications via an unverified ad module,” according to Kaspersky.
“The Necro campaign extended beyond third-party platforms and was also discovered on Google Play. The malicious downloader was found in the Wuta Camera app and Max Browser. According to Google Play statistics, the combined downloads of these apps exceeded 11 million. On this platform, Necro was also distributed via an unverified ad module. Following Kaspersky’s report to Google, the malicious code was removed from Wuta Camera, and Max Browser was taken down from the store. However, users still risk encountering Necro on unofficial platforms.”
“Users often download unofficial, modified apps to bypass restrictions in official applications or to access additional free features. Cybercriminals exploit this behaviour, spreading malware with these apps as there is no moderation on third-party platforms,” says Dmitry Kalinin, cybersecurity expert at Kaspersky. “It is also noteworthy that the version of Necro embedded in these applications used steganography techniques, hiding its payload within images to remain undetected – a very rare method for mobile malware.”
How to Protect Yourself from Trojans
Kaspersky experts recommend several best practices for staying safe from Trojans and other forms of malware:
- “Download apps only from official sources.
- Regularly update their operating system and installed applications.
- Use a reliable security solution from a trusted manufacturer whose products are verified by independent test labs, such as Kaspersky Premium.”
Home