Necro Trojan

12964334861?profile=RESIZE_400xAndroid phones are once again under attack from a dangerous trojan which has resurfaced to infect at least 11 million devices.  According to a blog post from the cybersecurity firm Kaspersky, the Necro trojan, which its security researchers first discovered in 2019, has returned.  The trojan is now being distributed via official apps on the Google Play Store, unofficial modded versions of popular apps and in Android game mods.   Once installed on one of the best Android phones, Necro then downloads additional payloads that are used to activate several malicious plugins.  From adware to subscription fraud to using infected devices as proxies to send malicious traffic, this malware is extremely versatile because of these plugins.

Here’s everything you need to know about the Necro trojan and how it can infect your smartphone along with some tips on how to stay safe from Android malware.   Even if you download a legitimate app from the Play Store, there’s still a slight chance it could be malicious as good apps can go bad thanks to the work of hackers. That appears to be exactly what happened in this case, as BleepingComputer points out, that the Necro trojan was installed through malicious advertising software development kits (SDK).[1]

The first and most downloaded app on the Play Store is Wuta Camera, which lets you take pictures, touch them up and add a number of effects.  This app alone was downloaded 10 million times.  Based on Kasperky’s data, the Necro trojan was added to version 6.3.2.148 of Wuta Camera.  However, versions starting from  6.3.7.138 no longer contain the trojan. This means if you’re using an older version of this app, you need to update it immediately.

The next official app infected with the Necro trojan is a web browser called Max Browser with one million downloads. The trojan was added to its code in version 1.2.0 but the app was removed from the Play Store after Kaspersky informed Google that it had become malicious. However, it’s still available on third-party app stores, so it’s best to recommend downloading Max Browser for the time being.

Kaspersky also found the Necro trojan lurking in a modified version of the Spotify Plus app.  Users were invited to download a new version of the app from an unofficial source.  However, unlike with the official Spotify app, this version was free and came with an unlocked subscription.  This should have been a red flag but some unsuspecting users decided to download and install it despite the risk which led to their phones being infected with the Necro trojan.

Finally, Kaspersky found the Necro trojan lurking in mods for WhatsApp, Minecraft and other popular games including Stumble Guys, Car Parking Multiplayer and Melon Sandbox.  Hackers often use mods to popular games as a lure, so when in doubt, you should avoid modding mobile games altogether.

When it comes to malware-filled apps, the first and most important thing you can do is to avoid downloading apps from unofficial sources.  Sideloading apps may be easy and convenient but doing so can also be extremely dangerous. This is why you should stick to official app stores like the Google Play Store, Samsung Galaxy Store and the Amazon Appstore.

From here, you want to ensure that Google Play Protect (which comes pre-installed) is enabled on your Android smartphone.  This first-party app scans all of the new apps as well as your existing ones for malware and other threats. For even more protection though, you should consider using one of the best Android antivirus apps alongside it.  Even when you download apps from the Play Store or other official app stores, you want to check their ratings and reviews first. As these can be faked though, it’s always a good idea to look for a video review online, so that you can see the app in question in action before downloading it.

Recently, Google has made great strides at eliminating malicious apps from the Play Store but they still manage to slip through the cracks from time to time.  This is why it’s a good idea to limit the number of apps on your phone overall.

The researchers again highlight the dangers of the Necro Trojan, first reported on in 2019, when they “discovered a Trojan in CamScanner, a text recognition app, which had clocked up over 100 million downloads on Google Play.  Now the ‘necromancers’ have injected new blood into the old Trojan: we found a version richer in features both in popular apps on Google Play and in various app mods on unofficial sites.”

The advice is simple.  No to third-party stores, and a bigger no to mods for popular apps from unofficial sources.  But “apps on Google Play and other official platforms should also be treated with a healthy dose of skepticism.  Even a popular app like Wuta Camera, with 10 million downloads, proved powerless in the face of Necro.”

The trojan has evolved and its obfuscation is far advanced over its earlier iterations.  Its intent remains the same, though: “Load and run any DEX files, install downloaded apps, tunnel through the victim’s device, and even—potentially—take out paid subscriptions.  In addition, they can display and interact with ads in invisible windows, as well as open arbitrary links and run any JavaScript code.”

The second warning comes from Cleafy, which warns that in June it “identified an unclassified Android banking Trojan… a variant of TrickMo, albeit with newly incorporated anti-analysis mechanisms.”   TrickMo is an evolution of the infamous TrickBot, again with more advanced obfuscation and proactive masking from analysis to hinder discovery.  Again TrickMo was first identified back in 2019, and so we see the common pattern again, as these threats evolve and harden as the constant game of cat and mouse continues, as the various defenses put in place around phones and stores improve.

TrickMo’s bag of tricks is impressively complete and includes:

  • Interception of One-Time Passwords (OTPs)
  • Screen Recording and Keylogging
  • Remote Control Capabilities
  • Accessibility Service Abuse
  • Advanced Obfuscation Techniques
  • Anti-Analysis Mechanisms

Again, not something you want on your phone.  This malware is distributed by way of a fraudulent Chrome browser update, but one that when installed prompts users with “a warning message prompting users to update Google Play services.”

According to Cleafy, “the new app is deceptively named ‘Google Services’ and poses as a legitimate instance of Google Play Services.  Upon launching, the app displays a window to ask the user to enable Accessibility services for the app.”  This neat social engineering, disguising malware behind trusted names is unsurprisingly effective.

The common thread here is clear.  Do not trust mods or updates or even initial installs of popular apps from anything other than official stores.  Do not fall for unofficial mods from anything other than source.  And even pay attention to official stores installs for trivial apps from unfamiliar developers.   In response to the new reports, a Google spokesperson told me that “all of the malicious versions of the apps identified by this report were removed from Google Play prior to report publication.  Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”  Google assured that Play Protect will defend users against both Necro and TrickMo. It really is essential that users ensure Play Protect is enabled on devices; once threats are confirmed, this will defend you against infection by any future instances.

Talking of new threats, a third report into new Android malware in short succession has just been released.  Again, continuing the theme, ThreatFabric warns that a new Octo variant is targeting users while “masquerading as masquerading as Google Chrome, NordVPN, and Enterprise Europe Network applications.”  Octo itself, part of the Exobot family, is so well established, that the researchers warn that “the discovery of a new version, named ‘Octo2’ by its creator, could potentially shift the threat landscape and the Modus Operandi of the actors behind it.”   Again, continuing the theme this is a case of an evolving malware rather than a totally new threat. “The first samples of the Exobot malware family were seen in 2016.  At that time, it was a banking trojan capable of performing overlay attacks and controlling calls, SMS, and push notifications.”  The evolution from Exobot to ‘ExobotCompact’ (Octo) came three years later, in 2019.

ThreatFabric says it has detected Octo activity through Malware-as-a-Service campaigns as far afield as “Europe, the USA, Canada, the Middle East, Singapore, and Australia.”  The rental of the malware works to accelerate its spread, leveraging multiple other threat actors and the required hardware and obfuscation.  The new malware variant, Octo2, is expected to seamlessly replace its predecessor and thus leverage established channels to market.  The researchers say “Octo2’s settings contain traces of multiple applications and apps being on the radar of the actors… It means that once Octo2 detects a push notification from one of the apps on the list, it will intercept it and not show it to the victim.  The presence of the app on the list means that it is of interest to cybercriminals, and they are already preparing to attack its users.”  Again as elsewhere, Octo2 uses a fraudulent “Google” notification pop-up to trick Android users into bypassing device restrictions to enable the malware to run. Unsurprisingly, material changes have been made in this latest iteration—but the intent remains to steal app-specific banking credentials through targeted campaigns.  “The emergence of the Octo2 variant signals future challenges for mobile banking security, as its enhanced capabilities and wider usage pose significant risks… Octo2 builds on [its] foundations with even more robust remote access capabilities and sophisticated obfuscation techniques.  This makes it harder for security systems to detect and remove it, increasing the malware's longevity and potential impact.”

Octo may be changing, but the advice for users remain the same; here’s a refresh on the other golden rules for staying safe:

  • Stick to official app stores—don’t use third party stores and never change your device’s security settings to enable an app to load.
  • Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
  • Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
  • Once a month, scan through your phone and delete a few of the apps you no longer need or haven’t used in a long time.
  • Do not install apps that link to established apps like WhatsApp unless you know for a fact they’re legitimate—check reviews and online write-ups.

 

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5378972949933166424

1 https://www.kaspersky.co.uk/blog/necro-infects-android-users/28199/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!