Necro

Necro is a multi-stage trojan downloader that has twice infiltrated Google Play through compromised advertising SDKs embedded in legitimate applications. Kaspersky first identified the family in 2019 inside CamScanner, a document scanning app with over 100 million installs, where a third-party advertising SDK called "AdHub" contained the Necro dropper. After a five-year gap, Kaspersky documented a far more advanced resurgence in September 2024, finding a new variant inside Wuta Camera (10M+ installs) and Max Browser (1M+ installs) through a malicious SDK called "Coral SDK." The 2024 variant is notable for using image steganography to hide payloads inside PNG files, a technique rarely seen in Android malware. Total affected installs exceeded 11 million through official Google Play distribution alone, with additional infections through modded APKs of Spotify, WhatsApp, and Minecraft distributed on unofficial channels.

Overview

Attribute	Details
First Seen	August 2019 (CamScanner incident)
Last Seen	Active
Status	Active, Coral SDK variant in the wild
Type	Trojan downloader, adware, proxy, subscription fraud
Attribution	Unknown
Aliases	Necro Trojan, NecroBot

Vendor Names

Vendor	Name
Kaspersky	HEUR:Trojan-Downloader.AndroidOS.Necro / Trojan-Dropper.AndroidOS.Necro.n (2019)
ESET	Android/TrojanDownloader.Necro
McAfee	Android/Necro
Bitdefender	Android.Trojan.Downloader.Necro

Origin and Lineage

Necro has no direct code lineage to other documented banking trojan families. It operates as a modular downloader platform rather than a credential-stealing trojan.

The 2019 variant (Trojan-Dropper.AndroidOS.Necro.n) was a straightforward dropper that decrypted and executed malicious code from a file called mutter.zip stored in the app's resources. Kaspersky noted that the same module had been observed preinstalled on some Chinese smartphones, suggesting the operators had multiple distribution strategies from the start.

The 2024 variant represents a complete architectural rewrite. The dropper evolved into a multi-stage loader with steganography-based payload delivery, a modular plugin system, and distribution through a purpose-built malicious SDK (Coral SDK) designed to look like a legitimate advertising component. The only thread connecting the two generations is the Necro detection name and the shared supply chain vector of hiding inside third-party SDKs bundled with legitimate apps.

The supply chain approach mirrors Triada's strategy of embedding in legitimate software to reach massive install bases, though Necro operates at the SDK level rather than the firmware level. The 2024 campaign's use of SDK supply chain compromise is directly comparable to Goldoson, where a malicious SDK was embedded in 60+ apps with 100M+ downloads.

Distribution

Necro reaches users through two vectors: compromised legitimate apps on Google Play and modified APKs distributed through unofficial channels.

Google Play (SDK Compromise)

2019: CamScanner

CamScanner, a document scanning app with 100M+ installs on Google Play, contained the Necro.n dropper inside a third-party advertising SDK provided by "AdHub." The malicious component was introduced without the app developer's knowledge. After Kaspersky's report, Google removed CamScanner from the Play Store. The app was later republished with the malicious SDK removed.

2024: Coral SDK

App	Developer	Downloads	Infected Versions	Clean Version
Wuta Camera	Benqu	10M+	6.3.2.148 through 6.3.6.148	6.3.7.138+
Max Browser	WA message recover-wamr	1M+	Up to 1.2.0 (all versions)	None (removed from Play Store)

The Coral SDK presented itself as a legitimate advertising integration module. App developers included it as part of a broader advertising SDK called "adsrun" initialized in the application's onCreate method. The malicious behavior was buried inside the Coral SDK subcomponent, hidden behind obfuscated native code and an apparently legitimate API surface. The developers of these apps were likely unaware of the SDK's true purpose.

After Kaspersky's report, Google removed the malicious code from Wuta Camera (clean version 6.3.7.138 shipped September 2024), and Max Browser was taken down entirely since no clean version existed.

Unofficial Channels (Mod APKs)

Modified versions of popular apps distributed through third-party sites, forums, and Telegram channels also carry Necro. Kaspersky documented the following infected mods:

Modded App	Example	Loader Mechanism
Spotify	"Spotify Plus" v18.9.40.5	Custom advertising SDK with embedded loader
WhatsApp	Modified WhatsApp builds	Necro loader injected into repackaged APK
Minecraft	Modded game APKs	Loader integrated into mod framework
Stumble Guys	Game mods	Loader in repackaged APK
Car Parking Multiplayer	Game mods	Loader in repackaged APK
Melon Sandbox	Game mods	Loader in repackaged APK

The Spotify mod is particularly well-documented. The "Spotify Plus" v18.9.40.5 mod implements a custom Application subclass that initializes the adsrun SDK in its onCreate method. This SDK loads the Coral SDK component, which contacts the C2 server to fetch the steganographic payload. The mod promises premium features for free, attracting users searching for cracked apps on third-party download sites.

Capabilities

Capability	Description
Steganographic payload delivery	Hides second-stage payloads in PNG image files using pixel value encoding
Invisible ad display	Loads and renders ads in invisible WebView windows, generating fraudulent impressions
Arbitrary DEX/JAR execution	Downloads and executes additional modules from C2
Proxy tunneling	Routes third-party traffic through infected devices via SOCKS/HTTP proxy
Subscription fraud	Automates WAP billing enrollment via invisible browser sessions
JavaScript execution	Executes arbitrary JavaScript in hidden WebView contexts
App installation	Downloads and silently installs additional APKs

Technical Details

Infection Chain

The 2024 Necro variant follows a multi-stage loading process:

Host App (Google Play or mod APK)
    -> Application.onCreate() initializes "adsrun" advertising SDK
    -> adsrun SDK initializes Coral SDK subcomponent
    -> Coral SDK loads native library (libcoral.so or libsvm.so)
    -> Native library sends encrypted POST to C2 with device info
    -> C2 responds with JSON containing PNG image URL + metadata (MD5, version)
    -> Coral SDK downloads PNG image
    -> Steganography algorithm extracts Base64-encoded JAR from pixel values
    -> JAR loaded via DexClassLoader (shellPlugin - second stage)
    -> shellPlugin fetches and loads functional plugins from C2
    -> Plugins execute based on C2 configuration

Steganography Loader

The most distinctive technical feature of the 2024 variant is payload concealment within PNG images. The Coral SDK uses a custom steganographic algorithm that operates on pixel color channels:

1. Downloads a PNG image from C2 infrastructure
2. Extracts pixel values from the ARGB channels using standard Android bitmap methods (getPixel)
3. Reads the blue channel of each pixel as data bytes
4. Interprets the first four bytes as a little-endian integer specifying the payload size
5. Reads the subsequent bytes up to the specified size
6. Decodes the resulting byte array as Base64, producing a JAR file
7. Loads the JAR via DexClassLoader, instantiating the class sdk.fkgh.mvp.SdkEntry
8. Calls the run method on the loaded class to begin execution

This technique evades network-level inspection since the download appears to be a standard image request. Traditional network monitoring tools see an HTTP request for a PNG, not a malware download. The MD5 hash provided in the C2 response serves as an integrity check before extraction proceeds.

Coral SDK Obfuscation

The Coral SDK uses multiple layers of obfuscation to hide its true purpose:

Technique	Implementation
Native library obfuscation	libcoral.so (78% of samples) and libsvm.so (22%) obfuscated with OLLVM
String encryption	All sensitive strings decrypted at runtime
Dynamic class loading	Actual functionality hidden behind DexClassLoader invocations
Legitimate API surface	SDK exposes standard-looking advertising APIs to app developers
Probabilistic activation	Loader generates a random number (0-99) and only activates if it exceeds a threshold (9 or 15 depending on package name), reducing analysis exposure

Zimperium's analysis found 12 unique hashes for libcoral.so across samples, indicating active development and versioning of the native loader component.

Modular Plugin Architecture

After the shellPlugin second stage loads, Necro operates as a plugin platform. The C2 server delivers functional modules based on the infected device's profile and the operator's current campaign objectives:

Plugin	Internal Name	Function
NProxy	NProxy	Creates a tunnel through the victim's device. Connects to a hardcoded server that issues commands to forward traffic between endpoints, turning the device into a proxy node.
Island	island	Manages ad display timing. Generates a pseudo-random interval (in milliseconds) between displays of intrusive ads in invisible WebViews.
Web	web	The most widely deployed plugin per Kaspersky telemetry. Contacts C2 periodically to receive page URLs, opens them in background WebViews, and processes interactive elements on those pages. Executes arbitrary JavaScript.
Cube SDK	Cube SDK	Helper module that loads other ad-handling plugins in the background. Acts as a plugin orchestrator rather than performing direct malicious actions.
Happy SDK	Happy SDK	Combines NProxy and Web module functionality into a single plugin. Appears in a non-modular Necro variant where plugins are not loaded individually. Also encountered under the name "Jar SDK" (newer version).
Tap	Tap	Downloads arbitrary JavaScript and a WebView interface from C2 for interacting with subscription and ad pages. Still under active development with unused code paths for WAP billing automation.

The modular architecture gives the operators flexibility to deliver targeted payloads based on device characteristics, geographic region, or current monetization strategy. A device might receive only the ad fraud modules, or it might be enrolled as a proxy node, or both.

C2 Communication

The Coral SDK communicates with C2 infrastructure using the following protocol:

Initial Registration: The SDK sends an encrypted POST request containing device information (IMEI, OS version, app package name, debugging status) and host app metadata. The encryption uses a substitution cipher where substitution values are generated by a Java pseudo-random number generator seeded with a predefined constant.

C2 Response: The server returns a JSON response encrypted with the same method. A 0 error code indicates success. On success, the response includes an array containing:

• URL to download the PNG image (steganographic payload)
• Expected MD5 hash for integrity verification
• SDK version number (sdkver field, observed at value 101 indicating active development)
• Plugin configuration and management settings

Plugin C2: Individual plugins maintain their own C2 channels. The NProxy plugin connects to a separate server defined in its code for proxy command routing. The Web plugin periodically polls its C2 for new page lists and JavaScript payloads.

Known C2 domains include bearsplay[.]com for the initial loader stage.

2019 Variant (Necro.n)

The original 2019 dropper was simpler in design:

1. App launches and the malicious advertising SDK activates
2. Dropper decrypts and executes code from mutter.zip in the app's resources
3. Extracted code functions as a Trojan Downloader, fetching additional payloads from remote servers
4. Downloaded payloads perform ad display and subscription fraud

No steganography, no modular plugin system, no native library obfuscation. The jump from Necro.n to the 2024 Coral SDK variant represents a significant investment in evasion engineering.

Target Regions

Necro is not region-specific. The supply chain distribution via Google Play apps means infections follow each app's global user base. Kaspersky's telemetry between August 26 and September 15, 2024, recorded the highest attack concentrations in:

Region	Countries
Eastern Europe	Russia (highest volume)
South America	Brazil, Ecuador
Southeast Asia	Vietnam
Central America	Mexico

The geographic spread reflects both the Play Store apps' user bases and the popularity of modded APKs in regions where paid app subscriptions are less common.

Notable Campaigns

2019, August: Kaspersky discovers Necro.n inside CamScanner, a document scanning app with 100M+ Google Play installs. The dropper was introduced through a third-party advertising SDK (AdHub). Kaspersky reports the finding to Google, and CamScanner is temporarily removed from the Play Store. The app returns after removing the malicious SDK. Kaspersky also notes the same Necro.n module appearing preinstalled on some Chinese smartphones.

2024, Late August: Kaspersky identifies the new Coral SDK-based Necro variant inside Wuta Camera (10M+ installs) and Max Browser (1M+ installs) on Google Play. The new variant uses image steganography for payload delivery and a full modular plugin system. Kaspersky also documents Necro in modded APKs of Spotify ("Spotify Plus" v18.9.40.5), WhatsApp, Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox distributed through unofficial channels.

2024, September: Kaspersky publishes the full technical analysis and reports to Google. Wuta Camera is updated to version 6.3.7.138 with the Coral SDK removed. Max Browser is pulled from the Play Store entirely (its latest version 1.2.0 still contained Necro). Between August 26 and September 15, Kaspersky blocks over 10,000 Necro attacks worldwide.

2024, September: Zimperium publishes supplementary analysis documenting the libcoral.so and libsvm.so native library variants, identifying 12 unique hashes for the primary loader library and noting the C2 SDK version field at 101, indicating ongoing development.

Related Families

Triada pioneered the supply chain approach at the firmware level, pre-installing malware on budget Android devices through compromised OEM vendors. Necro applies the same principle at the SDK level, compromising legitimate apps through malicious advertising components. Kaspersky noted that Necro.n (2019 variant) C2 domains overlapped with infrastructure used by the xHelper trojan, suggesting potential operational connections or shared infrastructure.

Goldoson used an identical SDK-based supply chain vector, affecting 60+ apps with 100M+ downloads in South Korea. Harly and Joker operate in the same subscription fraud space as Necro's Tap plugin, though they distribute directly through Play Store apps rather than through SDK supply chain compromise. Mandrake shares the use of OLLVM-obfuscated native libraries and multi-stage loading, though Mandrake targets espionage rather than ad fraud.

References