The threat actors targeting Android users now employ a new technique to stay under the radar. As caught recently, numerous malicious Android apps now exploit Microsoft’s .NET MAUI framework to evade detection.
Numerous Malicious Android Apps Exploit .NET MAUI To Spread Malware
According to a recent report from the McAfee Mobile Research Team, a new malware campaign is active in the wild, employing a novel approach to avoid detection. Specifically, the researchers spotted multiple malicious Android applications spreading malware by exploiting Microsoft’s .NET MAUI framework.
Microsoft launched .NET MAUI, a C#-based application development framework, as a substitute to Xamarin after noticing the latter’s abuse in malicious campaigns. The new .NET MAUI also garnered attention as it offered support beyond Android, to Windows and macOS app development as well.
However, it now seems this useful framework has also attracted the attention of bad actors as it gets exploited.
As explained in the post, the attackers exploit the .NET MAUI’s packer-like functionality. Usually, most Android applications store their core functionalities in DEX files or native libraries. However, the .NET MAUI allows C#-based apps to store their core functionalities as blob binaries. Since most antivirus solutions typically scan DEX files to detect malware, apps developed using .NET MAUI seemingly remain unchecked. Hence, any malicious apps developed this way can run the embedded malware on a device without alerting the antivirus solution.
Besides exploiting Microsoft’s framework, the malware also employs multi-stage dynamic loading of the final payload. Moreover, it encrypts its C&C communication to escape traffic scanning.
Malware Abuses Various App Niches To Target Users
The researchers observed these malicious apps targeting Android users through unofficial app stores. The threat actors may lure the users into downloading the malware via phishing attacks, mimicking legitimate applications.
As examples, the researchers mentioned two different applications distributing malware in this campaign. The first includes a fake Indian banking app posing as the IndusInd Bank app. Once downloaded and installed on a device, the app asks the user to enter personal details and banking information. The malware running behind the app then transmits all collected information to the attackers’ C&C without raising alerts.
Another example includes a fake social networking app, SNS, mimicking popular services like X (formerly Twitter). This app specifically targets Chinese users who often visit unofficial app stores to download apps for restricted platforms like X.
In addition, the recent malicious campaign also mimics several other applications, like dating apps, expanding its target radius.
Stick To Official Sources to Avoid Malware
Given the highly evasive techniques the new malware employs, users must remain as careful as possible when downloading apps. Since most of the malicious apps from this campaign spread via unofficial stores, users should ideally stick to downloading apps from the official app stores only.
For repressive regions like China with limited access to official app stores, users may consider visiting the official websites via workarounds like proxies/VPNs to download legitimate applications.
Moreover, equipping the devices with the latest versions of trusted antivirus solutions can also help prevent numerous malware threats.
Let us know your thoughts in the comments.
