The Necro Trojan has reappeared, infiltrating popular apps including Google Play releases and Spotify mods, using steganography and obfuscation to hide its second-stage payloads. Its modular loader can download and run multiple plugins, enabling ad injection, arbitrary file downloads, and JavaScript execution on infected devices. #Necro #SpotifyPlus #WutaCamera #MaxBrowser #Spotiplus #BearsPlay #Steganography
Keypoints
- The Necro loader has infected popular applications, including Spotify mods and apps on Google Play, affecting an audience exceeding 11 million devices.
- Payloads are hidden using steganography in images and are obfuscated to evade detection.
- The loader can display ads, download arbitrary files, execute JavaScript, and open links in invisible WebView windows.
- The attacker uses a modular architecture with multiple plugins (e.g., NProxy, Island, Web/Lotus SDK, Cube, Happy SDK, Jar SDK, Tap) to extend functionality.
- C2 infrastructure includes bearsplay[.]com and oad1.azhituo[.]com, with Firebase Remote Config used in some WhatsApp mod variants as a C2.
- In Google Play, infected apps include Wuta Camera and Max Browser; some have been removed after discovery, while others remain in unofficial sources.
- Protection recommendations include updating or deleting infected apps, downloading only from official sources, and using reliable security solutions.
MITRE Techniques
- [T1071] Command and Control β Brief description of how it was used. βUtilizes command-and-control servers to receive instructions and send data.β
- [T1210] Exploitation of Remote Services β Brief description of how it was used. βExploits vulnerabilities in applications to execute malicious code.β
- [T1027] Data Obfuscation β Brief description of how it was used. βEmploys obfuscation techniques to hide malicious code.β
- [T1071.001] Application Layer Protocol β Brief description of how it was used. βUses application layer protocols for C2 communication.β
- [T1027.003] Steganography β Brief description of how it was used. βHides payloads within images to evade detection.β
Indicators of Compromise
- [URL] C2 and payload download sites β spotiplus[.]xyz, hxxps://adoss.spinsok[.]com/plugin/shellP_100.png.png
- [Domain] Command-and-control domains β bearsplay[.]com, oad1.azhituo[.]com, 174.129.61.221 (example of a C2 address in listings)
- [MD5] Payload/file hashes β F338384C5B4BC7D55681A3532273B4EB, 1cab7668817f6401eb094a6c8488a90c (and 2 more hashes)
- [Android package] Infected appsβ package names β com.spoti.plus, com.leapzip.animatedstickers.maker.android
- [Application] Infected apps detected β Wuta Camera, Max Browser, Spotify Plus
- [File name] Hidden payload indicators β shellP, shellPlugin
Read more: https://securelist.com/necro-trojan-is-back-on-google-play/113881/