Skip to content

11 million Android devices hit by Necro Trojan

  • by
  • 3 min read

Over 11 million Android users worldwide have been infected by the Necro Trojan, a notorious malware masquerading as a legitimate app. Initially discovered in 2019, the Necro Trojan has resurfaced with new capabilities, targeting popular apps on Google Play and widely used mods from third-party sites.

The latest iteration of Necro is far more advanced than its predecessor. The Trojan is now a loader equipped with obfuscation techniques that make it difficult to detect.

Once installed, it downloads its malicious payload in a novel way — using steganography to hide its code within seemingly harmless images.

Once the payload is downloaded, the Trojan can execute a range of malicious activities, from installing apps to executing DEX files (compiled Android code). More alarmingly, it can initiate paid subscriptions, interact with ads through visible windows, open arbitrary links, and even run JavaScript code—all without the user’s knowledge.

Researchers have found the Necro Trojan lurking in various popular apps and modified versions. One of the most prominent examples is a user-modded version of Spotify, where attackers offered users a free, unlocked subscription under the guise of the Spotify Plus app.

Modded Spotify APK app distributing Necro Trojan.

The malware, distributed via unofficial sources, communicated with the attackers’ servers to download an infected image, allowing the Trojan to execute its harmful code.

However, as researchers discovered, Necro’s reach extends beyond unofficial sources. The Wuta Camera app, downloaded over 10 million times from Google Play, was found to be infected in version 6.3.2.148. While the app has since been cleaned, starting with version 6.3.7.138, users running older versions are urged to update it immediately.

Wuta Camera is yet another app spreading Necro Trojan.

Another victim of the Necro Trojan was the Max Browser. The malware infected its 1.2.0 version, infecting over one million users before its removal from the Google Play Store.

The Necro Trojan has also been detected in mods for popular apps and games, including WhatsApp, Minecraft, and Stumble Guys. These mods, often distributed via third-party sites, lure users with promises of enhanced features but carry dangerous malware in their code.

Given the popularity of these games, attackers have strategically targeted them, aiming for the largest possible audience.

Researchers have urged individuals and organisations to avoid downloading apps from unofficial sources, remain cautious even on Google Play, only use trusted security software, and avoid mods and hacked versions of apps.

In the News: Telegram updates policy: Will now share data with governments

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>