Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Necro Trojan. Show all posts
Steganography
Android Google Play Store malware Necro Trojan Steganography

Necro Trojan Uses Steganography to Attack 11 Million Devices

Necro Trojan Uses Steganography to Attack 11 Million Devices

Necro Trojan, which has recently made headlines for its innovative use of steganography has compromised over 11 million Android devices. This blog delves into the intricacies of this malware, how it works, and its impact on cybersecurity.

Understanding the Necro Trojan

The Necro Trojan, also known as Necro Python, is a versatile and highly adaptive piece of malware. Its primary strength lies in its modular architecture, allowing it to perform various malicious activities. 

These include displaying invisible ads, executing arbitrary code, and subscribing users to premium services without their consent. However, what sets the Necro Trojan apart is its use of steganography—a technique that involves hiding malicious code within seemingly innocuous files, such as images.

The Role of Steganography

Steganography is an ancient practice where hidden messages were concealed within other forms of communication. This technique has been repurposed in the digital age for more scandalous ends. 

The Necro Trojan is a complex, multi-stage Android malware that has managed to infiltrate both Google Play and unofficial app sources, impacting over 11 million devices. It targets popular apps such as Wuta Camera, Max Browser, and modified versions of Spotify, WhatsApp, and Minecraft.

Necro uses advanced evasion techniques, including obfuscation with OLLVM, steganography to conceal payloads in PNG images, and a modular architecture for versatility. The infection process begins with a loader that connects to C2 servers, often utilizing Firebase Remote Config.

The Trojan’s plugins (NProxy, island, web, Happy SDK, Cube SDK, and Tap) perform various tasks, from creating tunnels through victim devices to manipulating ad interactions. Its self-updating capability and use of reflection to integrate privileged WebView instances within processes help it bypass security measures.

How Necro Trojan Impacts Android Devices

The scale of the Necro Trojan’s impact is staggering. With over 11 million Android devices compromised, the malware has demonstrated its ability to spread rapidly and efficiently. 

The consequences for affected users can be severe, ranging from unauthorized financial transactions to significant data breaches. Moreover, the Trojan’s ability to execute arbitrary code means that it can be used to deploy additional malware, further compounding the threat.

Read more »
WhatsApp
Google malware Minecraft Necro Trojan Play Store Spotify WhatsApp

Necro Malware Attacks Google Play Store, Again. Infects 11 Million Devices

Necro Malware Attacks Google Play Store, Again. Infects 11 Million Devices

A new variant of Necro malware loader was found on 11 million Android devices through Google Play in infected SDK supply chain attacks. The re-appearance of Necro malware is a sign of persistent flaws in popular app stores like Google. 

A recent report by Kaspersky suggests the latest version of Necro Trojan was deployed via infected advertising software development kits (SDK) used by Android game mods, authentic apps, and mod variants of famous software, such as Minecraft, Spotify, and WhatsApp. The blog covers key findings from the Kaspersky report, the techniques used by threat actors, and the impact on cybersecurity. 

What is Necro Trojan 

Aka Necro Python, the Necro Trojan is an advanced malware strain active since it first appeared. Malware can perform various malicious activities such as cryptocurrency mining, data theft, and installation of additional payloads. The recent version is more advanced, making it difficult to track and eliminate. 

Distribution of Necro Trojan

Users sometimes want premium or customized options that official versions don't have. But these unofficial mods, such as GB WhatsApp, Spotify+, and Insta Pro can contain malware. Traditionally, threat actors used these mods because they are distributed on unofficial sites that lack moderation. 

However, in the recent trend, experts discovered actors targeting official app stores via infected apps

In the latest case, Trojan authors abused both distribution vectors, a new variant of multi-stage Necro loader compromised modified versions of Spotify, Minecraft, and other famous apps in unofficial sources, and apps in Google Play. "The modular architecture gives the Trojan’s creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application,” said the report.

Key Findings

  • The downloaded payloads can display ads in invisible windows, and interact with them. They can also execute arbitrary DEX files, install download apps, open arbitrary links in invisible WebView windows and run JavaScript, run a tunnel via the victim's device, and subscribe to paid services. 
  • The new variant of the Necro loader uses obfuscation to escape detection. 
  • The loader deployed in the app uses steganography tactics to hide payloads 

Read more »
Subscribe to: Posts (Atom)