Cybersecurity researchers are calling consideration to an Android malware marketing campaign that leverages Microsoft’s .NET Multi-platform App UI (.NET MAUI) framework to create bogus banking and social media apps concentrating on Indian and Chinese language-speaking customers.
“These threats disguise themselves as legit apps, concentrating on customers to steal delicate info,” McAfee Labs researcher Dexter Shin stated.
.NET MAUI is Microsoft’s cross-platform desktop and cell app framework for creating native purposes utilizing C# and XAML. It represents an evolution of Xamarin, with added capabilities to not solely create multi-platform apps utilizing a single mission, but in addition incorporate platform-specific supply code as and when essential.
It is price noting that official assist for Xamarin ended on Could 1, 2024, with the tech big urging builders emigrate to .NET MAUI.
Whereas Android malware carried out utilizing Xamarin has been detected up to now, the most recent growth indicators that menace actors are persevering with to adapt and refine their techniques by growing new malware utilizing .NET MAUI.
“These apps have their core functionalities written fully in C# and saved as blob binaries,” Shin stated. “Which means not like conventional Android apps, their functionalities don’t exist in DEX information or native libraries.”
This offers a newfound benefit to menace actors in that .NET MAUI acts as a packer, permitting the malicious artifacts to evade detection and persist on sufferer gadgets for prolonged durations of time.
The .NET MAUI-based Android apps, collectively codenamed FakeApp, and their related bundle names are listed under –
- X (pkPrIg.cljOBO)
- 迷城 (pCDhCg.cEOngl)
- X (pdhe3s.cXbDXZ)
- X (ppl74T.cgDdFK)
- Cupid (pommNC.csTgAT)
- X (pINUNU.cbb8AK)
- 私密相册 (pBOnCi.cUVNXz)
- X•GDN (pgkhe9.ckJo4P)
- 迷城 (pCDhCg.cEOngl)
- 小宇宙 (p9Z2Ej.cplkQv)
- X (pDxAtR.c9C6j7)
- 迷城 (pg92Li.cdbrQ7)
- 依恋 (pZQA70.cFzO30)
- 慢夜 (pAQPSN.CcF9N3)
- indus bank card (indus.credit score.card)
- Indusind Card (com.rewardz.card)
There isn’t any proof that these apps are distributed to Google Play. Moderately, the primary propagation vector entails tricking customers into clicking on bogus hyperlinks despatched through messaging apps that redirect unwitting recipients to unofficial app shops.
In a single instance highlighted by McAfee, the app masquerades as an Indian monetary establishment to collect customers’ delicate info, together with full names, cell numbers, e-mail addresses, dates of delivery, residential addresses, bank card numbers, and government-issued identifiers.
One other app mimics the social media web site X to steal contacts, SMS messages, and photographs from sufferer gadgets. The app primarily targets Chinese language-speaking customers through third-party web sites or various app shops.
Apart from utilizing encrypted socket communication to transmit harvested information to a command-and-control (C2) server, the malware has been noticed together with a number of meaningless permissions to the AndroidManifest.xml file (e.g., “android.permission.LhSSzIw6q”) in an try to interrupt evaluation instruments.
Additionally used to stay undetected is a method known as multi-stage dynamic loading, which makes use of an XOR-encrypted loader accountable for launching an AES-encrypted payload that, in flip, hundreds .NET MAUI assemblies designed to execute the malware.
“The principle payload is in the end hidden throughout the C# code,” Shin stated. “When the consumer interacts with the app, comparable to urgent a button, the malware silently steals their information and sends it to the C2 server.”