The Mobile Malware Chronicles: Necro.N - Volume 101

Oct. 21, 2024, 10:53 a.m.

Tags
obfuscation
steganography
c2 server
mobile malware
2024-10-21
joker
necro.n
libsvm.so
fleeceware
advertising sdk
libcoral.so
External References
Description

Zimperium's zLabs researchers have been tracking Necro.N, a highly intrusive mobile malware campaign, since July. This malware, potentially succeeding Joker, uses obfuscation and steganography to hide malicious payloads within images. It downloads payloads from C2 servers, enabling remote code execution on infected devices. The malware is distributed through a deceptive advertising SDK integrated into mobile apps. Two main libraries, 'libcoral.so' and 'libsvm.so', are used to execute the malicious code. Out of 37 samples analyzed, 78% used 'libcoral.so' and 22% used 'libsvm.so'. The malware can install applications, open invisible WebViews, and subscribe victims to unwanted paid services. Zimperium's on-device detection engine has successfully identified and neutralized all related malware samples and malicious URLs.

Date

Published: Oct. 21, 2024, 10:49 a.m.

Created: Oct. 21, 2024, 10:49 a.m.

Modified: Oct. 21, 2024, 10:53 a.m.

Indicators

https://oad1.azhituo.com/

http://oad1.bearsplay.com

http://justbigso.com

http://hsa.govsred.buzz

http://adoss.spinsok.com

Download all indicators here!

Attack Patterns

Joker

Necro.N