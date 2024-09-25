Security researchers at Kaspersky have discovered a new version of the Necro trojan targeting Android users through both Google Play apps and modified APKs (Android application packages) hosted on third-party websites. This malicious software poses a serious threat, capable of stealing sensitive data, installing additional malware, and remotely executing commands on infected devices.

Google Play Apps Removed

Kaspersky researchers identified two apps on the Google Play Store infected with the Necro trojan:

Wuta Camera: Downloaded over 10 million times.

Max Browser: Downloaded over 1 million times.

Google has since removed these infected apps from its Play Store after being notified by Kaspersky.

The researchers also discovered the Necro trojan lurking in unofficial "modded" versions of popular apps, including Spotify, WhatsApp, Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. These modified APKs, often promising premium features for free, are widely available on third-party websites and pose a significant risk to unsuspecting users.

The attackers employ various methods to distribute the malware. In the case of the Spotify mod, an embedded SDK displayed advertising modules. If a user interacted with a specific image-based module, the trojan payload would be deployed from a command-and-control (C&C) server.

Similarly, the WhatsApp mod exploited Google's Firebase Remote Config cloud service as a C&C server, deploying the trojan upon user interaction with a specific module.

Necro Trojan Capabilities

Once installed, the Necro trojan can perform a range of malicious activities, including:

Downloading and installing malicious files and apps.

Opening invisible browser windows to execute malicious JavaScript code.

Subscribing users to expensive paid services without their knowledge.

Stealing sensitive information like login credentials and financial data.

Protecting Yourself

While the infected Google Play apps have been removed, the risk from modded APKs remains. Kaspersky strongly advises users to:

Avoid downloading apps from untrusted third-party sources.

Only download apps from official app stores like Google Play.

Be wary of apps promising premium features for free.

Install a reputable mobile antivirus solution.