Cybersecurity researchers are calling consideration to an Android malware marketing campaign that leverages Microsoft’s .NET Multi-platform App UI (.NET MAUI) framework to create bogus banking and social media apps concentrating on Indian and Chinese language-speaking customers.
“These threats disguise themselves as respectable apps, concentrating on customers to steal delicate data,” McAfee Labs researcher Dexter Shin said.
.NET MAUI is Microsoft’s cross-platform desktop and mobile app framework for creating native purposes utilizing C# and XAML. It represents an evolution of Xamarin, with added capabilities to not solely create multi-platform apps utilizing a single undertaking, but additionally incorporate platform-specific supply code as and when essential.
It is value noting that official help for Xamarin ended on May 1, 2024, with the tech big urging builders emigrate to .NET MAUI.
Whereas Android malware carried out utilizing Xamarin has been detected in the past, the most recent improvement indicators that risk actors are persevering with to adapt and refine their ways by creating new malware utilizing .NET MAUI.
“These apps have their core functionalities written totally in C# and saved as blob binaries,” Shin stated. “Which means not like conventional Android apps, their functionalities don’t exist in DEX information or native libraries.”
This offers a newfound benefit to risk actors in that .NET MAUI acts as a packer, permitting the malicious artifacts to evade detection and persist on sufferer gadgets for prolonged intervals of time.
The .NET MAUI-based Android apps, collectively codenamed FakeApp, and their related package deal names are listed under –
- X (pkPrIg.cljOBO)
- 迷城 (pCDhCg.cEOngl)
- X (pdhe3s.cXbDXZ)
- X (ppl74T.cgDdFK)
- Cupid (pommNC.csTgAT)
- X (pINUNU.cbb8AK)
- 私密相册 (pBOnCi.cUVNXz)
- X•GDN (pgkhe9.ckJo4P)
- 迷城 (pCDhCg.cEOngl)
- 小宇宙 (p9Z2Ej.cplkQv)
- X (pDxAtR.c9C6j7)
- 迷城 (pg92Li.cdbrQ7)
- 依恋 (pZQA70.cFzO30)
- 慢夜 (pAQPSN.CcF9N3)
- indus bank card (indus.credit score.card)
- Indusind Card (com.rewardz.card)
There isn’t any proof that these apps are distributed to Google Play. Moderately, the primary propagation vector entails tricking customers into clicking on bogus hyperlinks despatched by way of messaging apps that redirect unwitting recipients to unofficial app shops.
In a single instance highlighted by McAfee, the app masquerades as an Indian monetary establishment to collect customers’ delicate data, together with full names, cell numbers, e-mail addresses, dates of beginning, residential addresses, bank card numbers, and government-issued identifiers.
One other app mimics the social media web site X to steal contacts, SMS messages, and pictures from sufferer gadgets. The app primarily targets Chinese language-speaking customers by way of third-party web sites or various app shops.
In addition to utilizing encrypted socket communication to transmit harvested information to a command-and-control (C2) server, the malware has been noticed together with a number of meaningless permissions to the AndroidManifest.xml file (e.g., “android.permission.LhSSzIw6q”) in an try to interrupt evaluation instruments.
Additionally used to stay undetected is a method referred to as multi-stage dynamic loading, which makes use of an XOR-encrypted loader liable for launching an AES-encrypted payload that, in flip, masses .NET MAUI assemblies designed to execute the malware.
“The primary payload is in the end hidden throughout the C# code,” Shin stated. “When the person interacts with the app, reminiscent of urgent a button, the malware silently steals their information and sends it to the C2 server.”
Source link