The new version of the Necro Trojan infiltrated popular apps, like Spotify mods and WhatsApp mods, with over 11 million Android devices affected. The Trojan authors used steganography to hide payloads and obfuscation to avoid detection. Google Play apps like Wuta Camera and Max Browser were found with the Necro loader, leading to Google taking the infected apps down
WhatsApp mods with the Necro loader were also discovered. The Necro Trojan executes malicious functionalities like displaying ads, downloading DEX files, and subscribing to paid services. The payload structure involved extracting configurations from C2 servers and loading plugins with various methods. The lifecycle of the Necro Trojan included several modules like NProxy, Island, and Web/Lotus SDK, showing how the Trojan infects devices and executes intrusive tasks. The Necro attacks were widespread, with over ten thousand blocked attacks globally, mostly in Russia, Brazil, and Vietnam, highlighting the Trojan's impact on a global scale. ```https://securelist.com/necro-trojan-is-back-on-google-play/113881/