Necro Trojan Detected in Google Play Apps and Modded Versions of Spotify, WhatsApp

Some Google Play apps and unofficial mods of popular apps are being targeted by attackers to spread a dangerous malware, according to security researchers. The purported Necro trojan is capable of logging keystrokes, stealing sensitive information, installing additional malware, and remote execution of commands. Two apps in the Google Play app store have been spotted with this malware. Further, modded (modified) Android application packages (APKs) of apps such as Spotify, WhatsApp, and games like Minecraft were also detected distributing the trojan.

Google Play Apps, Modded APKs Used to Spread Necro Trojan

The first time a trojan from the Necro family was spotted was in 2019 when the malware infected the popular PDF maker app CamScanner. The official version of the app in Google Play with more than 100 million downloads posted a risk to users, but a security patch fixed the issue at the time.

According to a post by Kaspersky researchers, a new version of the Necro trojan has now been spotted in two Google Play apps. The first is the Wuta Camera app which has been downloaded more than 10 million times, and the second is Max Browser with more than a million downloads. The researchers have confirmed that Google took down the infected apps after Kaspersky reached out to the company.

The main issue stems from a large number of unofficial ‘modded’ versions of popular apps, which are found hosted on a large number of third-party websites. Users can mistakenly download and install them on their Android devices, infecting them in the process. Some of the APKs with the malware spotted by researchers include modified versions of Spotify, WhatsApp, Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox — these modded versions promise users access to features that typically require a paid subscription.

Interestingly, it appears the attackers are using a range of methods to target users. For instance, the Spotify mod contained an SDK which displayed multiple advertising modules, as per the researchers. A command-and-control (C&C) server was being used to deploy the trojan payload if the user accidentally touched the image-based module.

Similarly, in the WhatsApp mod, it was found that the attackers had overwritten Google’s Firebase Remote Config cloud service to use it as the C&C server. Ultimately, interacting with the module would deploy and execute the same payload.

Once deployed, the malware could “download executable files, install third-party applications, and open arbitrary links in invisible WebView windows to execute JavaScript code,” highlighted the Kaspersky post. Further, it could also subscribe to expensive paid services without the user knowing.

While the apps in Google Play have already been taken down, users are urged to be careful while downloading Android apps from third-party sources. In case they do not trust the marketplace, they should refrain from downloading or installing any app or files.