The discovery of Necro malware in widely-used camera and browser apps on the Play Store has raised alarms, although it’s still unclear how the apps were initially compromised. Experts suspect that a malicious software development kit (SDK) used to integrate advertising features may be the source of the breach.
First identified by a Russian cybersecurity team in 2019, Necro was originally found embedded in a document scanning app, CamScanner. The app blamed the issue on a third-party advertisement SDK, which contained a harmful module designed to download additional malware from a remote server, acting as a loader for other types of malicious software.
The latest version of Necro follows a similar pattern but has adopted advanced obfuscation techniques, such as steganography, to avoid detection. It conceals its malicious payloads in image files and leverages invisible ads to interact with them, among other nefarious actions.
Once installed, Necro can perform a range of dangerous functions, including opening links in hidden WebView windows, executing JavaScript, tunneling traffic through the victim’s device, and even subscribing to premium services.
The malware often spreads through modified versions of popular apps and games available on unofficial sites, which contain a module named Coral SDK that communicates with a remote server. This server then sends a link to a fake image file, from which the actual malicious payload is extracted.
Necro’s malicious activities are facilitated by several modules, including NProxy, which creates a network tunnel through the infected device, and Cube SDK, which manages background ad operations.
Another module, Happy SDK, hints that attackers may be experimenting with non-modular versions of the malware to increase its versatility. According to recent telemetry, over 10,000 Necro attacks were blocked globally between late August and mid-September 2024, with the highest concentrations of incidents in countries such as Russia, Brazil, and Vietnam.
This new multi-stage malware loader uses rare techniques like steganography and a modular structure, allowing it to evolve and deliver targeted malicious updates as needed.
To avoid falling victim to malware like Necro, users should only download apps from trusted sources, such as official app stores, and regularly update their devices and applications. Be cautious of apps that ask for excessive permissions or seem to perform unnecessary functions.