Update from ESET:
UPDATE (February 3rd, 2021):
Following the publication of our research, BigNox have contacted us to say that their initial denial of the compromise was a misunderstanding on their part and that they have since taken these steps to improve security for their users:
use only HTTPS to deliver software updates in order to minimize the risks of domain hijacking and Man-in-the-Middle (MitM) attacks
implement file integrity verification using MD5 hashing and file signature checks
adopt additional measures, notably encryption of sensitive data, to avoid exposing users’ personal information
BigNox have also stated that they have pushed the latest files to the update server for NoxPlayer and that, upon startup, NoxPlayer will now run a check of the application files previously installed on the users’ machines.
ESET assumes no responsibility for the accuracy of the information provided by BigNox.
Researchers have found a new supply-chain attack that targets the online gamers community. The attackers have crippled the Android emulator NoxPlayer with malware to target the gamers.
NoxPlayer Android Emulator Supply-Chain Attack
Security researchers from ESET have shared insights about a new threat for online gamers in their recent post. Dubbed Operation NightScout, the threat is basically a supply-chain attack via the Android emulator NoxPlayer.
NoxPlayer precisely facilitates the gamers in playing Android games on PC, including Windows and macOS.
Sharing the details, the researchers revealed that the attack appears as a highly specific activity targeting individual gamers. Moreover, the malicious campaign doesn’t aim at disrupting gaming. Rather the attackers have crippled the emulator with spyware, thus making the attack more of a cyberespionage campaign.
Specifically, the attack has executed after the attackers meddled with a NoxPlayer update. It means that all those users who have received the malicious update have fallen prey to the attack.
As explained by the researchers,
We have sufficient evidence to state that the BigNox infrastructure (res06.bignox.com) was compromised to host malware, and also to suggest that their HTTP API infrastructure (api.bignox.com) could have been compromised. In some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers. This suggests that the URL field, provided in the reply from the BigNox API, was tampered with by the attackers.
The attack supposedly happened in September 2020 when the malicious updates took place. Since then, the campaign targeted very few victims from different regions, including Taiwan, Sri Lanka, and Hong Kong.
What Should You Do?
Due to the high specificity of the campaign in selecting victims, the researchers believe that not all NoxPlayers users would have suffered until recently.
Nonetheless, for those who remain uninfected, ESET advises avoiding downloading any updates until BigNox assures threat mitigation.
Whereas, for those who have suffered, ESET recommends perform a standard reinstall from clean media.