In recent years, the landscape of mobile malware has dramatically evolved, especially as users increasingly seek modified applications (mods) for popular services like [Spotify]( and WhatsApp. These mods often promise users enhanced functionality or ad-free experiences. Unfortunately, many of these unofficial modifications come with significant risks, including embedded malware that can compromise user data and device security.

One such threat that has resurfaced is the Necro Trojan, a multi-stage malware loader that has been found infiltrating popular apps both on unofficial sources and within Google Play itself. The Necro Trojan poses a significant risk due to its sophisticated evasion techniques, including obfuscation, steganography, and multi-stage payload deployment, making it challenging to detect and mitigate.

Significance of the Threat

Necro is not just another run-of-the-mill malware. Its modular design allows it to execute a variety of malicious functions, such as:

• Displaying ads in invisible windows.
• Interacting with web elements in the background.
• Downloading and executing arbitrary files.
• Installing applications covertly.
• Subscribing users to paid services without their consent.

In total, millions of devices have been affected by this malware, which demonstrates the wide-reaching consequences of using modded applications from unofficial sources. Necro’s reappearance on Google Play through infected apps signals the continuous efforts of cybercriminals to exploit both trusted and untrusted distribution channels, significantly increasing the scope of potential victims.

---

Technical Analysis

Discovery of Necro Trojan

The Necro Trojan was first discovered in 2019 when it was embedded in the widely used document-scanning application CamScanner on Google Play. At the time, the app had over 100 million downloads. The malicious Necro loader was hidden within an innocuous-looking update, which, once installed, delivered the payload to the user’s device. Fast forward to 2024, and Necro has returned with even more complex evasion techniques and wider distribution.

Spotify mod

In late August 2024, security researchers identified the Necro Trojan once again, this time embedded in modded applications like Spotify Plus and WhatsApp mods, downloaded from unofficial sources. What made the discovery particularly concerning was that some infected apps were found within the Google Play Store, indicating that even vetted platforms are not immune to Necro's reach.

Malware Delivery & Spread

Initial Infection Vectors

The primary infection vectors for the Necro Trojan include:

1. Unofficial APK websites: Users looking for modified versions of apps, such as Spotify mods with premium features unlocked, were downloading infected versions from websites like spotiplus[.]xyz. These websites falsely claimed to offer certified and safe versions of the applications, luring users into a false sense of security.
2. Google Play Store: Legitimate-looking applications, such as Wuta Camera and Max Browser, were found to have been compromised with the Necro loader. These apps were downloaded millions of times, illustrating the widespread distribution.

Wuta Camera App in Google Play

Example:

In Wuta Camera, a popular photo-editing app, the Necro loader was embedded in versions starting from v6.3.2.148. By the time the malicious activity was discovered, the app had been downloaded over 10 million times. After security researchers flagged the issue, the loader was removed in v6.3.7.138.

Modifications and Trojan Features

Necro Trojan’s operation hinges on its ability to modify legitimate apps without arousing suspicion. A typical infected app includes a custom Application subclass that initializes a malicious SDK, such as Coral SDK, during its execution. This SDK is responsible for integrating various advertising modules into the app, but more importantly, it communicates with a Command-and-Control (C2) server, transmitting data about the compromised device.

The C2 server then issues commands back to the Trojan, triggering specific malicious behaviors like:

• Downloading additional malware.
• Running code via the DexClassLoader (allowing it to execute arbitrary Java files).
• Interacting with invisible ads to generate revenue for the attackers.

Technical Example:

Here is a sample of the JSON data transmitted by the Trojan to the C2 server:

{
	"appId": "REDACTED",
	"channelId": "com.spoti.plus",
	"androidId": "REDACTED",
	"isAdb": false,
	"isProxy": false,
	"isSimulator": false,
	"isDebug": false,
	"localShellVer": 0,
	"sdkVer": 116,
	"appVersion": "1020000005",
	"appVersionName": "18.9.40.5"
}

---

Obfuscation Techniques and Multi-Stage Payload Execution

Obfuscation and Steganography

One of the reasons Necro is so difficult to detect lies in its sophisticated use of obfuscation techniques. The malicious code is obfuscated using tools like OLLVM (Obfuscator-LLVM), which scrambles the code into a format that is extremely challenging to decompile or analyze.

Additionally, steganography is employed to hide payloads within seemingly innocuous files, such as PNG images. The Trojan downloads these images from the C2 server, extracts the hidden data using Android’s getPixel method, and then reconstructs it into a Base64-encoded JAR file. Once decoded, this JAR file is executed by DexClassLoader, allowing the Trojan to execute the next stage of its payload without raising red flags.

Example of Steganography:

The image contains the encoded payload in its least significant byte (LSB) values:

int pixelValue = bitmap.getPixel(x, y);
byte payloadByte = (byte) (pixelValue & 0xFF);  // Extracts the blue channel data (LSB)

This payload extraction process highlights Necro’s advanced ability to hide in plain sight and execute code without triggering conventional antivirus software.

Real-World Case Studies

Infected Applications: Wuta Camera and Max Browser

Wuta Camera:

Wuta Camera is a widely used photo-editing app available on Google Play with over 10 million downloads. It was initially released as a legitimate app, but in version 6.3.2.148, the Necro Trojan was embedded within it. This infection allowed attackers to exploit a large user base, especially in regions like Russia, Brazil, and Vietnam. By the time the infected version was discovered, thousands of users had already been affected.

How Necro Operated Within Wuta Camera:

1. Upon launch, Wuta Camera initialized its legitimate functions, including photo-editing features, while the Necro Trojan loader ran in the background.
2. Necro would connect to its C2 server, transmitting details about the user’s device, including IMEI, IMSI, and Android OS version.
3. The C2 server could then issue commands to:
   • Open invisible WebViews to interact with ads.
   • Download additional malware payloads (e.g., DexClassLoader running Base64 JARs).
   • Exfiltrate sensitive device information.

After being reported by security researchers, Google Play removed the malicious version, and Wuta Camera was forced to release a clean version in 6.3.7.138.

Max Browser:

Max Browser was another popular app infected with the Necro Trojan. With over 1 million downloads, it represented a significant attack vector for the Trojan authors. Version 1.2.0 of Max Browser included the Necro loader, which used Firebase Remote Config to remotely update its payload. This version of the Trojan also utilized steganography to conceal malicious code in image files downloaded from the C2.

Key Features of the Necro Trojan in Max Browser:

• Obfuscation Layers: Code was highly obfuscated using OLLVM and encrypted communication methods to evade security detection.
• Network Behavior: The browser sent user data and app information to a remote server through encrypted POST requests, making it challenging for traditional security tools to detect.
• Stealth Operation: Like Wuta Camera, Max Browser could open hidden WebViews to perform background ad fraud, ultimately draining user data and resources without their knowledge.

By the time researchers identified the infection, the Trojan had affected a large number of users, primarily in Southeast Asia. The infected version was promptly removed after being flagged.

---

Deep Dive into Code and Execution

Code Samples and Steganographic Payload Extraction

The Necro Trojan is particularly notable for its use of advanced code obfuscation and payload delivery techniques. Here, we will explore some of the core technical elements of the malware, including code samples that highlight its behavior.

DexClassLoader and Base64 Payload Execution

One of the Trojan’s most dangerous techniques is its use of DexClassLoader to load and execute malicious payloads from dynamically downloaded JAR files. This allows the malware to evade static analysis and deliver malicious code at runtime.

Code Sample 1: Loading the Payload with DexClassLoader

// Sample code from the Trojan showing how a Base64-encoded JAR is loaded and executed.
String encodedJar = "Base64 encoded JAR string here";
byte[] decodedJar = Base64.decode(encodedJar, Base64.DEFAULT);
// Write the decoded bytes to a temporary file.
File tempJar = new File(context.getCacheDir(), "temp.jar");
FileOutputStream fos = new FileOutputStream(tempJar);
fos.write(decodedJar);
fos.close();
// Use DexClassLoader to load and execute the JAR file.
DexClassLoader classLoader = new DexClassLoader(tempJar.getPath(),
context.getDir("dex", 0).getAbsolutePath(),
null,
context.getClassLoader());
Class loadedClass = classLoader.loadClass("com.malicious.EntryPoint");
Method runMethod = loadedClass.getMethod("run");
runMethod.invoke(null);

Explanation:

• The Trojan first decodes the Base64-encoded JAR file that it downloads from the C2 server.
• The decoded file is temporarily stored in the app’s cache directory.
• Using DexClassLoader, the malware dynamically loads the decoded JAR, making it invisible to many anti-malware tools.
• The entry point run() method is invoked, which executes the next stage of the payload.

Steganographic Techniques

Another highly advanced technique used by the Necro Trojan is steganography. The payload is hidden inside PNG images using a simple, yet effective, least significant bit (LSB) extraction technique. By embedding the payload in the image, the Trojan can bypass traditional antivirus scanning, which doesn’t typically scan images for malicious code.

Code Sample 2: Extracting Payload from PNG Images

// Extracting the payload hidden in the least significant byte (LSB) of each pixel.
Bitmap image = BitmapFactory.decodeStream(new FileInputStream("path/to/downloaded/image.png"));
ByteBuffer payloadBuffer = ByteBuffer.allocate(image.getWidth() * image.getHeight() * 4);
for (int y = 0; y < image.getHeight(); y++) {
for (int x = 0; x < image.getWidth(); x++) {
int pixel = image.getPixel(x, y);
payloadBuffer.put((byte) (pixel & 0xFF));  // Store the least significant byte (blue channel)
}
}
// Reconstruct the payload from the extracted bytes
byte[] payload = new byte[payloadBuffer.position()];
payloadBuffer.rewind();
payloadBuffer.get(payload);
// Decode the payload and prepare it for execution
String base64Payload = new String(payload, StandardCharsets.UTF_8);
byte[] decodedPayload = Base64.decode(base64Payload, Base64.DEFAULT);

Explanation:

• The Trojan decodes the hidden payload from the least significant byte (LSB) of each pixel in the PNG image.
• It reconstructs the Base64-encoded payload and then decodes it.
• The decoded payload is then processed, typically by using DexClassLoader to execute the next stage.

---

Infection Diagram

Security Recommendations

Given the sophisticated nature of the Necro Trojan, security measures need to go beyond traditional antivirus or basic app security. Here are super-tailored and targeted recommendations for users, developers, and enterprises:

1. For Users:

• Only Download Apps from Trusted Sources: Stick to official app stores like Google Play or the Apple App Store, and avoid installing APKs from third-party websites.
• Verify App Permissions: Always review the permissions an app requests. If an app requests permissions that seem excessive for its functionality (e.g., a photo-editing app requesting access to SMS), it should raise a red flag.
• Regularly Update Apps and OS: Ensure that your device and apps are always running the latest versions, as these updates often include critical security patches.
• Use a Reputable Security Solution: Install security software that specifically scans for hidden malware, such as steganography, and can analyze real-time network behavior.

2. For Developers:

• Review Third-Party SDKs: The Trojan’s infection vector often involves compromised third-party SDKs, such as ad modules. Ensure that all SDKs used in the app are from trusted sources and regularly vetted for security.
• Implement Code Obfuscation Techniques: While this seems counterintuitive, developers can also use obfuscation tools (like ProGuard) to prevent their apps from being easily modified or reverse-engineered by attackers.
• Monitor App for Abnormal Behavior: Developers should implement analytics and monitoring that can detect unusual behaviors, such as large, unexpected data transfers or background app installations.

3. For Enterprises:

• Implement Mobile Device Management (MDM): Enterprises should use MDM solutions to monitor and control apps installed on company devices. These systems can help enforce policies that prevent the installation of unapproved apps.
• Network Traffic Monitoring: Implement systems that can detect abnormal network traffic patterns, especially encrypted outbound connections to suspicious domains (e.g., bearsplay[.]com).
• Regular Threat Intelligence Feeds: Subscribe to threat intelligence feeds that report new indicators of compromise (IOCs) for emerging threats like Necro. This allows security teams to update their defense mechanisms in real-time.

4. Additional Security Recommendations:

• Use App Sandboxing: Running apps in a sandbox environment can help mitigate the damage if malware is present. Even if an app attempts to exfiltrate data or execute a payload, it will be limited to the sandboxed environment.
• Deep Packet Inspection (DPI): For enterprises, utilizing DPI tools can help detect malicious traffic by inspecting data packets in real-time, even if the malware uses obfuscation techniques.

---

Conclusion

The resurgence of the Necro Trojan illustrates the persistent and evolving threats that target mobile devices. Its ability to evade detection through multi-stage loading, obfuscation, and steganography poses a significant challenge to both users and security professionals. With millions of devices affected globally, the Necro Trojan demonstrates how even trusted platforms like Google Play can become a distribution vector for sophisticated malware.

To mitigate these risks, it is crucial for all stakeholders—users, developers, and enterprises—to remain vigilant. Users must exercise caution when downloading apps, developers need to ensure their applications are secure and uncompromised, and enterprises must deploy robust security measures to protect their devices and data from these evolving threats.

By staying informed, employing best security practices, and leveraging advanced security solutions, we can collectively reduce the threat posed by malware like Necro.