Necro (Trojans) – Malware

Overview

The Necro Trojan has become a persistent and evolving threat to Android users, consistently infiltrating popular applications and modded versions of apps, such as Spotify, WhatsApp, and Minecraft. Initially discovered in 2019 within the widely-used CamScanner app, which boasted over 100 million downloads, Necro has resurfaced with more sophisticated techniques to evade detection and increase its reach. By leveraging both official app stores like Google Play and unofficial third-party websites, Necro has gained a foothold in millions of devices worldwide. Its functionality has evolved from basic adware to a more dangerous multi-stage loader capable of executing arbitrary commands, displaying invisible ads, and even subscribing to paid services without the user’s consent.

The latest iteration of Necro, which has been identified in several Android apps, employs advanced obfuscation techniques and steganography to hide its malicious payloads. These payloads are often hidden within seemingly harmless files, such as PNG images, which are used to transport JAR files containing the Trojan’s core functionality. Once activated, Necro’s payloads can carry out a variety of harmful actions, including interacting with invisible ad windows, running arbitrary JavaScript, and even opening backdoors for remote command execution. The trojan is particularly dangerous because it targets both legitimate applications and pirated versions, using both distribution vectors to maximize its infection rate.

Targets

Individuals

How they operate

The first stage of the Necro Trojan’s operation typically involves its distribution through both official app stores like Google Play and unofficial third-party websites. It often disguises itself as a legitimate application or modded version of popular apps like Spotify, WhatsApp, and Minecraft. For instance, in the case of the Spotify Plus mod, Necro was embedded into the app’s custom SDK. Once the app is installed and launched, the Trojan initiates by establishing a communication link with a command-and-control (C2) server. This server responds with encrypted data containing instructions and the location of the next stage of the malware payload.

One of the key methods Necro uses to hide its malicious activities is steganography. Infected applications may contain what appears to be a benign PNG image, but in reality, this image is a carrier for the next stage of the malware. Necro’s loader verifies the integrity of the image by checking its MD5 hash against a value provided by the C2 server. If the verification passes, the image is processed, and a payload—typically a JAR file—is extracted from the image’s pixel values. This payload is Base64 encoded within the image and later decoded by the Trojan using the DexClassLoader. Once decoded, the payload is executed, and it carries out a variety of harmful actions such as displaying invisible ads, opening WebView windows to execute arbitrary JavaScript, or even installing other malicious apps onto the device.

The Necro Trojan has also incorporated additional layers of obfuscation into its operation. For example, it uses a proprietary encryption technique to mask data sent between the infected device and the C2 server. This encryption employs a simple substitution cipher, where the values are generated using a pseudo-random number generator seeded with a constant, making it harder for traditional detection methods to decipher the traffic. Moreover, the Trojan often runs its malicious payloads in background processes that are not immediately visible to the user, further obscuring its activity and making it harder for users to notice anything unusual.

Once Necro has successfully loaded its payload, it can carry out various malicious tasks, ranging from displaying intrusive ads to executing arbitrary commands and downloading additional files. These actions can include installing apps without user consent, opening links in invisible WebViews, running tunnel operations to enable remote access, and even subscribing users to paid services without their knowledge. The Trojan is versatile in its capabilities and can adapt to different device configurations and app versions, making it a persistent threat. Its use of encrypted communications, steganography, and evasion techniques allows Necro to remain under the radar for extended periods, potentially compromising millions of devices worldwide before detection occurs.

The most concerning aspect of Necro’s operation is its ability to spread across multiple distribution channels. While it has been found in popular apps on Google Play, it is also prevalent in modified versions of apps available through unofficial sources, such as modded versions of WhatsApp. These modified apps are particularly dangerous because they often come from sources that lack proper security measures and may even appear legitimate to users. This dual approach to distribution—via both official and unofficial channels—ensures that Necro remains a potent threat across a wide range of Android devices. Developers and users must remain vigilant and take precautions when downloading and installing applications, even from seemingly trusted sources.

MITRE Tactics and Techniques

1. Initial Access

Spearphishing Link (T1566.002): Necro Trojan is often distributed through links in modified apps or on websites that appear to be legitimate, such as those offering Spotify mods. Users unknowingly download these apps or click on infected links, leading to initial access.

Exploitation for Privilege Escalation (T1203): In some cases, the Trojan may exploit vulnerabilities in third-party apps or Android OS to escalate its privileges, ensuring it can execute malicious payloads with system-level access.

2. Execution

Malicious File (T1203): The Necro Trojan executes by embedding a malicious payload in what seems to be a benign image file (like a PNG). The payload is extracted from the image through steganography, hidden in the least significant bits of the image’s pixels, and executed on the compromised device.

Command and Scripting Interpreter (T1059): The Trojan executes scripts or commands after decoding the payloads. For example, after extracting the payload using steganography, Necro utilizes JavaScript or other scripts for further execution in WebView windows.

3. Persistence

Registry Run Keys / Startup Folder (T1547.001): Once installed, Necro may ensure persistence by embedding itself into applications that are executed at startup or by installing malicious apps in the background without user consent. This ensures the Trojan remains operational even after reboots.

Boot or Logon Autostart Execution (T1547): The Trojan can also employ techniques to automatically reinitiate itself every time the device is powered on or after the app is launched, helping it maintain its foothold on the compromised system.

4. Privilege Escalation

Exploitation of Vulnerabilities (T1203): If needed, Necro can exploit unpatched vulnerabilities in apps or the system itself to elevate privileges and gain deeper control over the device. This can be essential for executing the payloads with elevated privileges, allowing it to perform more damaging actions.

5. Defense Evasion

Obfuscated Files or Information (T1027): Necro makes use of obfuscation techniques to hide its true behavior. The malicious payloads and scripts are often obfuscated to evade detection by traditional security solutions. The use of steganography in the PNG image is one such example.

Encrypted Channel (T1071.001): Necro uses encrypted communication channels to communicate with its command-and-control (C2) server. The C2 traffic is often encrypted, making it difficult to detect and analyze by security tools.

6. Collection

Data from Local System (T1005): The Necro Trojan is designed to collect information about the compromised device, such as the device’s model, installed apps, and other relevant system data. This is sent back to the C2 server as part of its reporting mechanism.

Screen Capture (T1113): Necro may also perform screen capturing or other actions that gather user data, like recording user interactions with invisible ad windows.

7. Exfiltration

Exfiltration Over C2 Channel (T1041): The Trojan exfiltrates data over an encrypted channel, sending stolen information back to the C2 server. This may include details about the device, user information, or data related to the apps it infects.

8. Impact

Data Destruction (T1485): In some cases, Necro might engage in destructive behaviors such as deleting or corrupting data, which could occur if the attacker wishes to sabotage the device or make detection harder by removing traces of the infection.

Service Stop (T1089): The Trojan may attempt to halt security services or other protective mechanisms to facilitate its operations without interference.

9. Command and Control (C2)

Application Layer Protocol (T1071): Necro’s C2 communication uses HTTP/HTTPS-based channels to receive commands and send stolen data. This communication is often encrypted and disguised to blend in with normal traffic, avoiding detection by security solutions.

References

• How the Necro Trojan infiltrated Google Play, again