Concealment techniques empower malicious actors to conceal confidential details within regular, non-sensitive content or communications to evade detection.
Common methods involve integrating text into visuals or audio files, frequently combined with encryption to boost protection.
Recently uncovered by cybersecurity analysts at Kaspersky Lab, the Necro trojan utilizes covert communication methods to compromise a staggering 11 million Android gadgets.
11 Million Android Devices Hacked
Referred to as the “Necro Trojan,” this sophisticated Android malware is multi-staged in nature and has infiltrated both legitimate sources such as “Google Play” and unofficial app platforms, affecting over 11 million devices.
This malicious software capitalizes on popular applications like “Wuta Camera,” “Max Browser,” and altered versions of widely used apps such as Spotify, WhatsApp, and Minecraft.
Necro makes use of sophisticated evasion tactics like obscuring using “OLLVM,” concealing payloads within “PNG images” through steganography, and a flexible modular architecture, as detailed in the analysis.
The contamination process initiates with a loading mechanism that communicates with C2 servers, often leveraging “Firebase Remote Config.”
The plugin loader is responsible for downloading and executing several plugins, with each assigned a malicious role.
Below, we elaborate on the various malicious purposes:-
- Displaying hidden ads
- Executing custom DEX files
- Installing apps
- Launching links in concealed WebView instances
- Executing JavaScript code
- Enrolling in premium services
Necro’s plugins (‘NProxy,’ ‘island,’ ‘web,’ ‘Happy SDK,’ ‘Cube SDK,’ and ‘Tap’) undertake actions from establishing connections via victim devices to manipulating ad interactions.
The self-update feature showcases the malware’s adaptability, utilizing reflection to include privileged “WebView” instances within processes, aiding in bypassing security measures.
Monitoring applications within official app stores is vital, demonstrated by the emergence of app-related security risks.
Between August 26 and September 15, more than “10,000 Necro assaults” were uncovered globally, with Russia, Brazil, and Vietnam experiencing the highest infection rates.
The Trojan’s modular structure allows the creators to deliver targeted updates and incorporate new malevolent modules as needed, largely contingent on the compromised application.
The utilization of “concealment techniques” stands out as an unconventional strategy in mobile malware.
This blend of methodologies showcases the advancing complexity of mobile threats, suggesting that the actual count of infected devices could be considerably higher than initially estimated.
The post Necro Trojan Using Concealment Strategies To Breach 11 Million Android Devices appeared first on Cyber Security News.