It appears that one of the most popular Android apps called CamScanner is installing silently the Necro Trojan on victim devices, according to a new security report. It is very possible that the developers have not done it intentionally as the malicious code is probably masking itself as an advertising package.
Android CamScanner App Found To Silently Deploy The Necro Trojan
One of the most popular apps for the Android operating system has been found to carry a very dangerous Trojan threat. The application in question is called CamScanner and its main purpose is to easily convert images to PDF. A security analysis of it has uncovered that in some of its versions it also deploys the Necro Trojan. The specialist speculate that this isn’t intentional by the developers, but they were fooled into integrating an advertising module. The Trojan code has been found to be part of a library that is embedded in the application. Usually these libraries are added in as part of a partnership deal with an advertising provider.
The analysis of the Necro Trojan shows that the mobile versions found within the contaminated CamScanner Android app will run this malware when the application is installed on the mobile device. However the Necro Trojan does not appear to be running any of the common actions that are expected of it such as data theft. The made analysis shows that the main action that is run is the downloading of other components, showing that a complex infection campaign is orchestrated. As a consequence the hackers that are in control of the Necro Trojan can induce all kinds of actions as they please:
- Information Gathering — The criminals can search for valuable information on the infected device’s memory. This can be used to look out for passwords or even real-time looking for user input placed inside of banking services.
- App Manipulation — The Trojan can be used to interact with the installed system and applications. This can result in changed settings, issues and unexpected errors.
- Malware Delivery — It can be used to deliver dangerous modules such as ransomware and cryptocurrency miners.
Due to the fact that the malicious package was identified live in the CamScanner app it has been taken down from the Google Play Store. We expect it to reappear with the Necro Trojan code removed and with a statement from the developers.