Cybersecurity researchers have drawn attention to Android malware campaigns that leverage Microsoft’s .NET Multi-Platform Apps UI (.NET MAUI) framework, creating fake bankers and social media apps targeting Indian and Chinese users.
“These threats hide themselves in legitimate apps and target users to steal sensitive information,” said Dexter Shin, researcher at McAfee Labs.
.Net Maui is Microsoft’s cross-platform desktop and mobile app framework for creating native applications using C# and XAML. It represents the evolution of Xamarin, with the added ability to not only create multi-platform apps using a single project, but also incorporate platform-specific source code when needed.
It is worth noting that official support for Xamarin ended on May 1, 2024, and the tech giant has encouraged developers to move to .Net Maui.
Android malware implemented using Xamarin has been detected in the past, but it is the latest development signal that threat actors continue to adapt and refine their tactics by developing new malware using .NET MAUI.
“These apps have core functionality written entirely in C# and stored as blob binary,” Singh said. “This means that unlike traditional Android apps, those features are not present in DEX files or native libraries.”
This gives threat actors new benefits in that .NET Maui acts as a packer, allowing malicious artifacts to avoid detection and last for a long time on victim devices.
.NET MAUI-based Android apps are collectively referred to as CodeNead Fakeapp and are listed below for related package names.
x(pkprig.cljobo) Mikujo (pkdhcg.ceongl) x(pdhe3s.cxbdxz) x(ppl74t.cgddfk) upid (pommnc.cstgat) x(pinuu.cbb8ak) Personal secret (pbonci.cuvnxz) x•gdn (pbonci.ckhe.ckhe.ckhe.ckhe.ckhe. (pcdhcg.ceongl) Microcosm (p9z2ej.cplkqv) x(pdxatr.c9c6j7) Mikujo (pg92li.cdbrq7) Iren (pzqa70.cfzo30)
There is no evidence that these apps are distributed to Google Play. Rather, the main propagation vector involves the user tricking them into clicking on fake links sent via messaging apps that redirect infinite recipients to the informal app store.
In one example highlighted by McAfee, the app disguises itself as an Indian financial institution to collect sensitive information about users, such as their full name, mobile phone number, email address, date of birth, residential address, credit card number, and government-issued identifiers.
Another app mimics social media site X and steals contacts, SMS messages, and photos from victim devices. The app is primarily targeted at Chinese-speaking users through third-party websites or alternative app stores.
In addition to sending harvested data to a command and control (C2) server using encrypted socket communication, it has been observed that in the AndroidManifest.xml file (“android.permission.lhssziw6q”) include some meaningless permissions in the AndroidManifest.xml file in an attempt to destroy the analysis tool.
Also, to leave it undetected, it is a technique called multistage dynamic loading that uses an XOR encryption loader responsible for launching the AES encrypted payload that loads .NET MAUI assembly designed to run malwork.
“The main payload is ultimately hidden within C# code,” Shin said. “When a user interacts with an app, such as pressing a button, the malware quietly steals data and sends it to the C2 server.”
Source link
