The cybercriminals targeting Android users have adopted a new tactic to avoid detection. It has been discovered that a number of malicious Android apps are now utilizing Microsoft’s .NET MAUI framework to fly under the radar.
Malicious Android Apps Exploit .NET MAUI Framework for Malware Distribution
According to a recent report by the McAfee Mobile Research Team, a fresh malware campaign is in operation, leveraging a unique method to evade detection. The researchers identified multiple malicious Android apps spreading malware by exploiting Microsoft’s .NET MAUI framework.
Microsoft introduced .NET MAUI, a C#-based application development framework, as a replacement for Xamarin after noticing its misuse in malicious activities. The new .NET MAUI framework also gained popularity for its cross-platform support for Android, Windows, and macOS app development.
However, it appears that this versatile framework has now caught the attention of cybercriminals for malicious purposes.
The attackers exploit the packer-like functionality of .NET MAUI. While most Android apps store their core functionalities in DEX files or native libraries, .NET MAUI allows C#-based apps to store core functionalities as blob binaries. This unique approach evades detection by antivirus solutions that typically scan DEX files for malware, allowing malicious apps developed with .NET MAUI to operate undetected and execute embedded malware on devices.
In addition to exploiting Microsoft’s framework, the malware utilizes multi-stage dynamic loading of the final payload and encrypts its C&C communication to evade detection.
Malware Targets Users Through Various App Categories
The researchers observed these malicious apps targeting Android users primarily through unofficial app stores. Users are enticed to download the malware through phishing attacks, often disguised as legitimate applications.
For instance, a fake Indian banking app masquerading as the IndusInd Bank app prompts users to enter personal and banking information once installed. The hidden malware then sends the collected data to the attackers without triggering alerts.
Another example includes a fake social networking app, SNS, impersonating popular platforms like X (formerly Twitter) to target Chinese users who frequent unofficial app stores.
The malicious campaign also mimics various other applications, such as dating apps, to expand its reach.
Prevent Malware by Using Official Sources
Given the sophisticated evasion techniques employed by this new malware, users must exercise caution when downloading apps. It is advisable to download apps only from official app stores to mitigate the risk of encountering malicious software.
In regions with restricted access to official app stores, users can consider accessing legitimate applications through official websites using proxies/VPNs.
Furthermore, keeping devices updated with reputable antivirus software can help safeguard against a wide range of malware threats.
We welcome your thoughts in the comments section.
