Full Report
Zimperium researchers analyze Necro.N and focuses on the differences and elements. The post The Mobile Malware Chronicles: Necro.N – Volume 101 appeared first on Zimperium.
Analysis Summary
# Tool/Technique: Necro.N Mobile Malware
## Overview
Necro.N is an intrusive mobile malware campaign identified as a potential successor to the Joker malware. It is primarily distributed through deceptive advertising SDKs integrated into mobile applications by unaware developers. Its capabilities include remote code execution, installing applications, opening invisible web views to run JavaScript, and subscribing victims to unwanted paid services (functioning as fleeceware).
## Technical Details
- Type: Malware family
- Platform: Mobile (Implied Android due to use of native libraries like `.so` and reference to BOOT_COMPLETE receiver)
- Capabilities: Evasion using obfuscation and steganography, C2 communication via HTTP, remote code execution, subscription fraud.
- First Seen: Tracking began in July [Year not specified, context implies 2024].
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1661 - Application Versioning (Distributed through app stores via deceptive SDK)
- **TA0002 - Execution**
- T1575 - Native API (Samples initialize malicious code using native calls)
- **TA0003 - Persistence**
- T1398 - Boot or Logon Initialization Scripts (Able to execute app on device boot)
- T1624.001 - Event Triggered Execution: Broadcast Receivers (Registers via BOOT\_COMPLETE receiver)
- **TA0005 - Defense Evasion**
- T1407 - Download New Code at Runtime (Downloads and loads a DEX file at runtime)
- T1406.001 - Obfuscated Files or Information: Steganography (Hides DEX payload inside images)
- T1406.002 - Obfuscated Files or Information: Software Packing (Uses code obfuscation)
- **TA0007 - Discovery**
- T1426 - System Information Discovery (Extracts device info like IMEI, OS info)
- **TA0011 - Command and Control**
- T1437.001 - Application Layer Protocol: Web Protocols (Uses HTTP for C2 communication)
- **TA0006 - Credential Access**
- T1517 - Access Notifications (Few samples can access device notifications)
- **TA0009 - Collection**
- T1517 - Access Notifications (A few samples can access device notifications)
## Functionality
### Core Capabilities
- **Payload Delivery:** Uses steganography to hide the malicious payload (DEX file) within images. It employs a native library (`libcoral.so` or `libsvm.so`) to decode this payload after contacting the C2 server.
- **Remote Code Execution:** Downloads and executes remote code obtained from the C2 server.
- **Fleeceware Activity:** Subscribes users to unwanted paid services.
- **Initial Evasion:** Utilizes code obfuscation techniques to hinder analysis and evade security vendors.
### Advanced Features
- **Steganography:** Hides the DEX payload within image files using a specialized steganographic algorithm.
- **Modular structure:** Relies on two distinct native libraries for core functionality: `libcoral.so` (used in 78% of samples) and `libsvm.so` (used in 22% of samples), with variations observed across 12 hashes of `libcoral.so` and 2 hashes of `libsvm.so`.
- **Active Development:** The discovery of an `sdkver` field reporting "101" indicates ongoing development and refinement by the threat actor.
## Indicators of Compromise
- File Hashes: [Hashes not provided in text, but noted that 37 samples were collected.]
- File Names: Core elements identified as native libraries: `libcoral.so`, `libsvm.so`.
- Registry Keys: [Not applicable/Not mentioned for mobile OS.]
- Network Indicators: C2 server infrastructure used for payload distribution remains active. (Specific domains/IPs are not provided in the provided text, but are referenced as the "domain used to distribute the first stage payload").
- Behavioral Indicators: Initialization using native calls, execution upon boot (`BOOT_COMPLETE`), downloading and loading DEX files at runtime, subscribing users to paid services without consent.
## Associated Threat Actors
- Threat actors targeting mobile application developers by distributing deceptive advertising SDKs. (No specific APT group name is provided).
## Detection Methods
- Signature-based detection: Many variants show low or zero detection rates from other security vendors.
- Behavioral detection: Detection relies on identifying native initialization, runtime code loading, and fleeceware activities. Zimperium claims success using On-Device Dynamic Detection Engine leveraging advanced machine learning and behavioral analysis.
- YARA rules: [Not explicitly provided.]
## Mitigation Strategies
- Deploy proactive, robust Mobile Threat Defense (MTD) solutions for enterprise users.
- Use Mobile Application Security (MAPS) tools to vet applications.
- Focus on protecting against mobile threats that leverage SDK distribution techniques.
## Related Tools/Techniques
- Joker (Malware family, considered a predecessor).
- Use of deceptive advertising SDKs.
- Fleeceware techniques.