Zimperium's zLabs researchers have been tracking Necro.N, a highly intrusive mobile malware campaign, since July. This malware, potentially succeeding Joker, uses obfuscation and steganography to hide malicious payloads within images. It downloads payloads from C2 servers, enabling remote code execution on infected devices. The malware is distributed through a deceptive advertising SDK integrated into mobile apps. Two main libraries, 'libcoral.so' and 'libsvm.so', are used to execute the malicious code. Out of 37 samples analyzed, 78% used 'libcoral.so' and 22% used 'libsvm.so'. The malware can install applications, open invisible WebViews, and subscribe victims to unwanted paid services. Zimperium's on-device detection engine has successfully identified and neutralized all related malware samples and malicious URLs.