Kaspersky experts recently uncovered a dangerous new version of the Necro Trojan that had infiltrated several popular apps, including those on the Google Play Store. This malware, primarily targeting Android devices, downloads other malicious components that can harm infected smartphones. Necro has been found lurking within several popular applications on Google Play and modified applications on unofficial platforms, including Spotify, WhatsApp and Minecraft.
Necro is a sophisticated Android downloader that follows commands from its creators to run harmful activities. Kaspersky’s solutions have recorded its spread in multiple countries as part of a broader malicious campaign, making it a growing threat to mobile users worldwide.
Also read: This Android malware can steal your OTPs, record your screen, and more: Is your phone safe?
The variant of Necro identified by Kaspersky can download harmful modules onto smartphones, performing actions like displaying invisible ads and clicking on them, downloading executable files, and installing third-party apps. It can also open invisible windows to execute JavaScript code, potentially subscribing users to unwanted paid services. Additionally, Necro can redirect internet traffic through infected devices, allowing cybercriminals to use them as part of a proxy botnet.
Also read: High-risk security flaw found in iPhones and other Apple products: Is your device safe?
Kaspersky’s experts first discovered Necro in a modified version of Spotify Plus on unofficial platforms. This app promised additional features not available in the official version but was actually infected. Other apps, including WhatsApp, Minecraft, Stumble Guys, and Car Parking Multiplayer, were also found with Necro embedded via an unverified ad module.
Shockingly, Necro was also found in apps on the Google Play Store, including Wuta Camera and Max Browser, which had a combined download count of over 11 million. Both apps were infected via an unverified ad module, and after Kaspersky’s report to Google, the malicious code was removed from Wuta Camera, and Max Browser was taken down. However, Necro continues to spread through unofficial platforms.
Cybersecurity expert Dmitry Kalinin warns that downloading modified apps to bypass restrictions is a common tactic cybercriminals use to spread malware. The Necro Trojan even hides its malicious payload within images, using a rare technique called steganography to avoid detection.