Cybersecurity researchers are calling consideration to an Android malware marketing campaign that leverages Microsoft’s .NET Multi-platform App UI (.NET MAUI) framework to create bogus banking and social media apps focusing on Indian and Chinese language-speaking customers.
“These threats disguise themselves as respectable apps, focusing on customers to steal delicate data,” McAfee Labs researcher Dexter Shin mentioned.
.NET MAUI is Microsoft’s cross-platform desktop and cell app framework for creating native functions utilizing C# and XAML. It represents an evolution of Xamarin, with added capabilities to not solely create multi-platform apps utilizing a single mission, but in addition incorporate platform-specific supply code as and when vital.
It is price noting that official assist for Xamarin ended on Might 1, 2024, with the tech big urging builders emigrate to .NET MAUI.
Whereas Android malware carried out utilizing Xamarin has been detected prior to now, the newest growth indicators that risk actors are persevering with to adapt and refine their ways by creating new malware utilizing .NET MAUI.
“These apps have their core functionalities written fully in C# and saved as blob binaries,” Shin mentioned. “Because of this in contrast to conventional Android apps, their functionalities don’t exist in DEX recordsdata or native libraries.”
This offers a newfound benefit to risk actors in that .NET MAUI acts as a packer, permitting the malicious artifacts to evade detection and persist on sufferer units for prolonged intervals of time.
The .NET MAUI-based Android apps, collectively codenamed FakeApp, and their related package deal names are listed under –
- X (pkPrIg.cljOBO)
- 迷城 (pCDhCg.cEOngl)
- X (pdhe3s.cXbDXZ)
- X (ppl74T.cgDdFK)
- Cupid (pommNC.csTgAT)
- X (pINUNU.cbb8AK)
- 私密相册 (pBOnCi.cUVNXz)
- X•GDN (pgkhe9.ckJo4P)
- 迷城 (pCDhCg.cEOngl)
- 小宇宙 (p9Z2Ej.cplkQv)
- X (pDxAtR.c9C6j7)
- 迷城 (pg92Li.cdbrQ7)
- 依恋 (pZQA70.cFzO30)
- 慢夜 (pAQPSN.CcF9N3)
- indus bank card (indus.credit score.card)
- Indusind Card (com.rewardz.card)
There isn’t any proof that these apps are distributed to Google Play. Reasonably, the primary propagation vector entails tricking customers into clicking on bogus hyperlinks despatched through messaging apps that redirect unwitting recipients to unofficial app shops.
In a single instance highlighted by McAfee, the app masquerades as an Indian monetary establishment to assemble customers’ delicate data, together with full names, cell numbers, electronic mail addresses, dates of delivery, residential addresses, bank card numbers, and government-issued identifiers.
One other app mimics the social media web site X to steal contacts, SMS messages, and images from sufferer units. The app primarily targets Chinese language-speaking customers through third-party web sites or various app shops.
Moreover utilizing encrypted socket communication to transmit harvested knowledge to a command-and-control (C2) server, the malware has been noticed together with a number of meaningless permissions to the AndroidManifest.xml file (e.g., “android.permission.LhSSzIw6q”) in an try to interrupt evaluation instruments.
Additionally used to stay undetected is a method known as multi-stage dynamic loading, which makes use of an XOR-encrypted loader accountable for launching an AES-encrypted payload that, in flip, masses .NET MAUI assemblies designed to execute the malware.
“The principle payload is in the end hidden inside the C# code,” Shin mentioned. “When the person interacts with the app, corresponding to urgent a button, the malware silently steals their knowledge and sends it to the C2 server.”
