NoxPlayer Android Emulator Crippled With Malware That is Targeting Gamers

Update from ESET:

UPDATE (February 3rd, 2021):
Following the publication of our research, BigNox have contacted us to say that their initial denial of the compromise was a misunderstanding on their part and that they have since taken these steps to improve security for their users:

use only HTTPS to deliver software updates in order to minimize the risks of domain hijacking and Man-in-the-Middle (MitM) attacks

implement file integrity verification using MD5 hashing and file signature checks

adopt additional measures, notably encryption of sensitive data, to avoid exposing users’ personal information

BigNox have also stated that they have pushed the latest files to the update server for NoxPlayer and that, upon startup, NoxPlayer will now run a check of the application files previously installed on the users’ machines.

ESET assumes no responsibility for the accuracy of the information provided by BigNox.

 

Researchers have found a new supply-chain attack that targets the online gamers community. The attackers have crippled the Android emulator NoxPlayer with malware to target the gamers.

NoxPlayer Android Emulator Supply-Chain Attack

Security researchers from ESET have shared insights about a new threat for online gamers in their recent post. Dubbed Operation NightScout, the threat is basically a supply-chain attack via the Android emulator NoxPlayer.

NoxPlayer precisely facilitates the gamers in playing Android games on PC, including Windows and macOS.

Sharing the details, the researchers revealed that the attack appears as a highly specific activity targeting individual gamers. Moreover, the malicious campaign doesn’t aim at disrupting gaming. Rather the attackers have crippled the emulator with spyware, thus making the attack more of a cyberespionage campaign.

Specifically, the attack has executed after the attackers meddled with a NoxPlayer update. It means that all those users who have received the malicious update have fallen prey to the attack.

As explained by the researchers,

We have sufficient evidence to state that the BigNox infrastructure (res06.bignox.com) was compromised to host malware, and also to suggest that their HTTP API infrastructure (api.bignox.com) could have been compromised. In some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers. This suggests that the URL field, provided in the reply from the BigNox API, was tampered with by the attackers.

The attack supposedly happened in September 2020 when the malicious updates took place. Since then, the campaign targeted very few victims from different regions, including Taiwan, Sri Lanka, and Hong Kong.

What Should You Do?

Due to the high specificity of the campaign in selecting victims, the researchers believe that not all NoxPlayers users would have suffered until recently.

Nonetheless, for those who remain uninfected, ESET advises avoiding downloading any updates until BigNox assures threat mitigation.

Whereas, for those who have suffered, ESET recommends perform a standard reinstall from clean media.

Related posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

ZenHammer Memory Attack Exploits Rowhammer Against AMD CPUs

1 comment

Jessiya February 7, 2021 - 11:18 am
Hi This is Jessiya from Nox. limited, we found that you publish an article about our product NoxPlayer: https://latesthackingnews.com/2021/02/03/noxplayer-android-emulator-crippled-with-malware-that-is-targeting-gamers/. We have contacted ESET to locate the problem positively and ESET has given us a reply. Here is the latest update from ESET: https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/, we have fixed all the problem. I sincerely hope you can delete your article immediately. Cause we have reached an agreement with ESET and solved the problem. We have taken urgent steps to prevent the situation. so it is not suitable to keep the original article now. We also express thanks to ESET, so I sincerely hope that you can lead the reader positively and avoid panic, so we sincerely hope that you can help us to clarify the fact. Any opinions on the public platform that violates the fact break the law and should bear legal responsibility. ESET will make a new statement to explain it, if you wanna update or report the latest process, we can also provide it for you. Any questions, please let me know. Thank you! Best Regards, Jessiya.

Comments are closed.

Add Comment