Recently, the malware loader known as Necro has drawn renewed attention. The latest version of Necro spreads through modified versions of legitimate applications such as Spotify, WhatsApp, and Minecraft. The malware was found not only on third-party platforms but also briefly appeared in the Google Play Store. Infected applications included "Wuta Camera" and "Max Browser," with downloads exceeding 10 million and 1 million, respectively. While "Wuta Camera" has removed the malicious code in its latest update, "Max Browser" has since been removed from the Play Store.
Necro Technical Analysis
In malware attacks, technical details often determine the stealth, propagation, and control abilities of the software. Necro uses some highly sophisticated techniques to evade detection and execute various malicious actions on victim devices.
Below is a detailed technical analysis of the Necro malware:
1. Steganography
Steganography is a technique used to hide information within other content. Necro uses this technique to hide its malicious payload in regular files. Specifically, attackers embed malicious code within PNG image files, which are then transmitted over the network to infected applications.
The process works as follows:
- The infected app sends an HTTP POST request to a remote server via the Coral SDK.
- The server responds with a link to a file hosted on adoss.spinsok[.]com, disguised as a PNG image.
- The app then downloads this image and extracts a Base64-encoded JAR file (Java archive) from it.
Through steganography, the malware hides its code within what appears to be harmless images, thus bypassing antivirus software. This technique is quite rare in mobile malware, significantly enhancing the malware's stealth.
2. Obfuscation
Obfuscation is another commonly used technique aimed at making the code difficult to reverse engineer and detect. Necro employs highly complex code obfuscation, making it hard for security tools to understand its true function.
More specifically, the malware alters variable names, control flows, and function calls to make the code unintelligible, confusing both static and dynamic analysis tools. This increases the difficulty of detecting and analyzing the malware.
3. Modular Architecture
Necro's design features a modular architecture, allowing it to download and load different functionality modules based on the attacker’s needs. This modular structure not only provides flexibility in expanding the malware’s capabilities but also allows it to perform specific attack tasks when necessary.
The key modules used by Necro include:
- NProxy: This module creates a tunnel on the infected device to communicate data between the Command and Control (C2) server and the victim's device. The tunnel can bypass network restrictions on the device, facilitating data exfiltration or attacker instructions.
- Island: This module generates pseudo-random numbers to control the intervals (in milliseconds) between intrusive ads. These ads may be delivered through other modules, with the random numbers used to avoid detection by users.
- Web: The Web module maintains contact with the C2 server and can execute arbitrary code with elevated privileges when necessary. It remotely loads specific links and executes embedded JavaScript code, giving further control over the device.
- Cube SDK: This auxiliary module handles ad loading and manages other plugins to increase ad display frequency in the background, generating revenue for the attackers.
- Tap: The Tap module downloads arbitrary JavaScript code and renders it via WebView, secretly loading and interacting with ads on the device.
- Happy SDK / Jar SDK: This module combines the functionality of NProxy and Web modules, streamlining both, but with some optimizations for different attack scenarios.
These modules work together to give attackers remote control over various device functions. By downloading and executing additional modules, Necro can perform a range of malicious actions, including data theft, ad displays, installing other malicious applications, and more.
4. Command and Control (C2) Server
Necro's C2 server is the central system for communication between the attackers and the malware. Through this server, attackers can:
- Dynamically update the malware's capabilities.
- Download new modules or plugins.
- Extract sensitive data from devices.
- Perform custom-tailored attacks.
The C2 server communicates with infected devices via HTTP/HTTPS, ensuring real-time command execution. Encryption techniques are also used to protect the communication link, making it difficult to intercept or analyze.
5. WebView-based Malicious Activity
WebView is a component used in Android to display web content. Necro exploits WebView for ad injection, automatic ad clicking, and even remote JavaScript code execution. The steps are as follows:
- The malware operates in the background using invisible WebView windows.
- It loads malicious ad links or executes hidden code without the user's knowledge.
This entire process is fully automated and invisible to the user. Through this method, attackers can trigger paid subscriptions, generate fraudulent click traffic, and more.
6. Advanced Evasion Techniques
Beyond steganography and obfuscation, Necro employs techniques like dynamic module loading, static detection avoidance, and delayed malicious actions to further evade security software. For example, after infecting a device, the malware doesn’t immediately execute its payload but instead waits to download it dynamically, making early detection difficult.
Scope and Impact
According to data collected by Kaspersky, thousands of Necro attacks were blocked globally between August 26, 2024, and September 15, 2024. The countries most affected include Russia, Brazil, Vietnam, Mexico, and Taiwan. Although Google Play has removed the malicious apps, this incident highlights that users are not entirely safe from threats, even when downloading from official app stores.
How to Protect Android Devices
- Download apps only from official sources: While the Google Play Store is relatively safe, it’s not foolproof. Avoid downloading apps from untrusted third-party platforms.
- Keep apps and the system updated: Developers often release updates to patch vulnerabilities and remove potential threats. Keeping apps and the OS updated can reduce the risk of malware attacks.
- Install reliable security software: Using trusted antivirus software, like Kaspersky, can detect and block malicious activity. Enable Google Play Protect for automatic scanning of installed apps.
- Review app permissions: Be mindful of what permissions an app requests. If an app asks for unnecessary access, like a simple camera app asking for contacts or location, it may be suspicious.
- Uninstall unnecessary apps: Remove apps that are no longer in use, especially those installed from unknown sources. Keeping only essential apps reduces the chances of security risks.