Security researchers have identified that some Google Play apps and unofficial modified versions (mods) of popular apps are being exploited to spread a dangerous malware known as the Necro trojan. This malware has the ability to log keystrokes, steal sensitive data, install additional malicious software, and remotely execute commands. Two apps in the Google Play store, along with modded Android apps like Spotify, WhatsApp, and games such as Minecraft, were found distributing this trojan.
Necro Trojan Spread via Google Play Apps and Modded APKs
First detected in 2019, the Necro trojan initially infected the popular app CamScanner, affecting users despite the app’s 100 million-plus downloads. A security patch eventually resolved the issue. However, Kaspersky researchers have now detected a new variant of the Necro trojan in two Google Play apps: Wuta Camera, with over 10 million downloads, and Max Browser, with more than one million downloads. After being alerted, Google has since removed these infected apps from the store.
A significant risk arises from unofficial “modded” versions of popular apps hosted on third-party websites. Users unknowingly download these infected APKs, leading to their devices being compromised. Among the apps identified with malware are modified versions of Spotify, WhatsApp, Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox, which offer premium features typically behind a paywall.
Attackers are using various methods to target users. For example, the Spotify mod was found to contain an SDK with multiple advertising modules, which triggered the trojan payload if users interacted with image-based ads. Similarly, in a modded version of WhatsApp, attackers manipulated Google’s Firebase Remote Config service to act as a command-and-control (C&C) server, deploying the trojan when users interacted with certain features.
Once deployed, the Necro trojan can download executable files, install third-party applications, and open hidden WebView windows to run JavaScript code. It can also sign users up for expensive subscription services without their knowledge.
Although the infected Google Play apps have been removed, users are strongly advised to be cautious when downloading apps from third-party sources. It is recommended to avoid downloading apps from untrusted marketplaces and verify the source before installation.
