Cybersecurity researchers are calling consideration to an Android malware marketing campaign that leverages Microsoft’s .NET Multi-platform App UI (.NET MAUI) framework to create bogus banking and social media apps concentrating on Indian and Chinese language-speaking customers.
“These threats disguise themselves as legit apps, concentrating on customers to steal delicate data,” McAfee Labs researcher Dexter Shin said.
.NET MAUI is Microsoft’s cross-platform desktop and mobile app framework for creating native functions utilizing C# and XAML. It represents an evolution of Xamarin, with added capabilities to not solely create multi-platform apps utilizing a single challenge, but in addition incorporate platform-specific supply code as and when obligatory.
It is price noting that official assist for Xamarin ended on May 1, 2024, with the tech large urging builders emigrate to .NET MAUI.
Whereas Android malware carried out utilizing Xamarin has been detected in the past, the newest improvement indicators that risk actors are persevering with to adapt and refine their ways by creating new malware utilizing .NET MAUI.
“These apps have their core functionalities written totally in C# and saved as blob binaries,” Shin stated. “Which means that in contrast to conventional Android apps, their functionalities don’t exist in DEX recordsdata or native libraries.”
This provides a newfound benefit to risk actors in that .NET MAUI acts as a packer, permitting the malicious artifacts to evade detection and persist on sufferer units for prolonged intervals of time.
The .NET MAUI-based Android apps, collectively codenamed FakeApp, and their related package deal names are listed beneath –
- X (pkPrIg.cljOBO)
- 迷城 (pCDhCg.cEOngl)
- X (pdhe3s.cXbDXZ)
- X (ppl74T.cgDdFK)
- Cupid (pommNC.csTgAT)
- X (pINUNU.cbb8AK)
- 私密相册 (pBOnCi.cUVNXz)
- X•GDN (pgkhe9.ckJo4P)
- 迷城 (pCDhCg.cEOngl)
- 小宇宙 (p9Z2Ej.cplkQv)
- X (pDxAtR.c9C6j7)
- 迷城 (pg92Li.cdbrQ7)
- 依恋 (pZQA70.cFzO30)
- 慢夜 (pAQPSN.CcF9N3)
- indus bank card (indus.credit score.card)
- Indusind Card (com.rewardz.card)
There is no such thing as a proof that these apps are distributed to Google Play. Moderately, the primary propagation vector entails tricking customers into clicking on bogus hyperlinks despatched through messaging apps that redirect unwitting recipients to unofficial app shops.
In a single instance highlighted by McAfee, the app masquerades as an Indian monetary establishment to assemble customers’ delicate data, together with full names, cellular numbers, e-mail addresses, dates of delivery, residential addresses, bank card numbers, and government-issued identifiers.
One other app mimics the social media web site X to steal contacts, SMS messages, and photographs from sufferer units. The app primarily targets Chinese language-speaking customers through third-party web sites or different app shops.
In addition to utilizing encrypted socket communication to transmit harvested information to a command-and-control (C2) server, the malware has been noticed together with a number of meaningless permissions to the AndroidManifest.xml file (e.g., “android.permission.LhSSzIw6q”) in an try to interrupt evaluation instruments.
Additionally used to stay undetected is a method referred to as multi-stage dynamic loading, which makes use of an XOR-encrypted loader accountable for launching an AES-encrypted payload that, in flip, masses .NET MAUI assemblies designed to execute the malware.
“The primary payload is finally hidden inside the C# code,” Shin stated. “When the person interacts with the app, akin to urgent a button, the malware silently steals their information and sends it to the C2 server.”
