Necro Trojan Used Stego Techniques To Hack 11 Million Android Devices

Steganography enables the threat actors to hide secret information within ordinary, non-secret files or messages to avoid detection.

The common forms include embedding text in images or audio files, and it is often used alongside encryption to enhance security.

Cybersecurity researchers at Kaspersky Lab recently discovered that Necro trojan has been using steganography techniques to hack 11 million Android devices.

11 Million Android Devices Hacked

The “Necro Trojan” is a sophisticated multi-stage Android malware that has infiltrated both “Google Play” and “unofficial app” sources which has affected over 11 million devices.

Meet the CISOs, Join the Virtual Panel to Learn compliance – Join Free

This malware exploits popular applications like “Wuta Camera,” “Max Browser,” and “modified versions of Spotify,” “WhatsApp,” and “Minecraft.” 

Necro employs advanced evasion techniques like obfuscation using “OLLVM,” steganography to hide payloads in “PNG images” and a modular architecture for flexibility, reads the research. 

The infection process begins with a loader that communicates with C2 servers, and this is done often using the “Firebase Remote Config.” 

The plugin loader is responsible for downloading and executing dozens of plugins, each of which is in charge of its own malicious purpose. 

Here below, we have mentioned those malicious purposes:- 

• Displaying invisible ads
• Executing arbitrary DEX files
• Installing applications
• Opening links in hidden WebView windows
• Running JavaScript code
• Subscribing to paid services

Necro’s plugins (‘NProxy,’ ‘island,’ ‘web,’ ‘Happy SDK,’ ‘Cube SDK,’ and ‘Tap’) perform tasks ranging from creating tunnels via victim devices to manipulating the ad interactions. 

The self-updating mechanism shows the adaptability of the malware and not only that even it also uses the reflection to add privileged “WebView” instances within processes which helps in evading the security defenses.

Monitoring an application within an official app store is important, as evidenced by the development of app security threats.

Between August 26 and September 15, more than “10,000 Necro attacks” were discovered globally, and in these attacks, Russia, Brazil, and Vietnam experienced the highest infection rates.

The modular architecture of the Trojan enables its creators to deliver targeted updates and new malicious modules flexibly, while this completely depends on the compromised application. 

The use of “steganography” is particularly noteworthy as it’s an uncommon tactic in mobile malware. 

This combination of techniques reveals the evolving complexity of mobile threats, making the actual number of infected devices significantly higher than initially estimated.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial