New Android malware campaigns use Microsoft’s cross-platform framework .NET MAUI whereas disguising as reputable providers to evade detection.
The tactic was noticed by McAfee’s Cell Analysis Crew, a member of the App Protection Alliance devoted to enhancing Android safety.
Though the apps McAfee noticed goal customers in China and India, uncovering the assaults is vital because the concentrating on scope may broaden, and the identical tactic could also be adopted by different cybercriminals quickly.
Utilizing .NET MAUI on Android
Launched in 2022, .NET MAUI is an app growth framework in C#, launched by Microsoft as a alternative to Xamarin, supporting each desktop and cell platforms.
Sometimes, Android apps are written in Java/Kotlin and retailer the code in DEX format, nevertheless it’s technically potential to make use of .NET MAUI to construct an Android app in C# with the app’s logic saved inside binary blob recordsdata.
Modern Android safety instruments are designed to scan DEX recordsdata for suspicious logic and don’t study blob recordsdata. This permits risk actors to cover malicious code within the blobs and bypass detection.
This method is much more preferable than fetching malicious code post-installation by way of updates, which is the usual tactic with most Android malware these days.
On this case, the tactic is efficient as a result of C#-based apps and blob recordsdata on Android are obscure.
Aside from utilizing .NET MAUI, the campaigns noticed by McAffee use multi-layered encryption (XOR + AES) and staged execution, ‘AndroidManifest.xml’ file bloating with randomly generated strings, and TCP socket for command-and-control (C2) communications.
“With these evasion strategies, the threats can stay hidden for lengthy intervals, making evaluation and detection considerably more difficult,” warns McAfee.
“Moreover, the invention of a number of variants utilizing the identical core strategies means that this sort of malware is changing into more and more widespread.”
Faux X apps steal information
McAfee found a number of APKs in its report as a part of the campaigns utilizing the .NET MAUI method, together with pretend banking, communication, relationship, and social media apps equivalent to X.
Supply: McAfee
The researchers used two apps as examples, IndusInd and SNS, that are distributed exterior Google Play, Android’s official app retailer.
“In China, the place entry to the Google Play Retailer is restricted, such apps are sometimes distributed via third-party web sites or various app shops,” explains McAfee.
“This permits attackers to unfold their malware extra simply, particularly in areas with restricted entry to official app shops.”
Within the first case, the app impersonates an Indian financial institution, prompting customers to enter delicate private and monetary info, and exfiltrating it to the C2 server.
Supply: McAfee
Within the SNS app case, which targets Chinese language-speaking customers, the app makes an attempt to steal contact lists, SMS messages, and images saved on the machine.
Supply: McAfee
To attenuate the danger of an infection by these evasive malware apps, keep away from downloading Android APKs from third-party app shops or obscure web sites and keep away from clicking on hyperlinks acquired by way of SMS or e mail.
If you’re in areas the place Google Play is unavailable, scan APKs for malicious indicators and solely set up them from trusted websites.
Google Play Shield can detect and block the APKs McAfee recognized as a part of the newest campaigns, so guarantee it is lively in your machine.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the best way to defend towards them.
