Cybersecurity researchers are calling attention to an Android malware campaign that leverages Microsoft’s .NET Multi-platform App UI (.NET MAUI) framework to create bogus banking and social media apps targeting Indian and Chinese-speaking users.
“These threats disguise themselves as legitimate apps, targeting users to steal sensitive information,” McAfee Labs researcher Dexter Shin said.
.NET MAUI is Microsoft’s cross-platform desktop and mobile app framework for creating native applications using C# and XAML. It represents an evolution of Xamarin, with added capabilities to not only create multi-platform apps using a single project, but also incorporate platform-specific source code as and when necessary.
It’s worth noting that official support for Xamarin ended on May 1, 2024, with the tech giant urging developers to migrate to .NET MAUI.
While Android malware implemented using Xamarin has been detected in the past, the latest development signals that threat actors are continuing to adapt and refine their tactics by developing new malware using .NET MAUI.
“These apps have their core functionalities written entirely in C# and stored as blob binaries,” Shin said. “This means that unlike traditional Android apps, their functionalities do not exist in DEX files or native libraries.”
This gives a newfound advantage to threat actors in that .NET MAUI acts as a packer, allowing the malicious artifacts to evade detection and persist on victim devices for extended periods of time.
The .NET MAUI-based Android apps, collectively codenamed FakeApp, and their associated package names are listed below –
- X (pkPrIg.cljOBO)
- 迷城 (pCDhCg.cEOngl)
- X (pdhe3s.cXbDXZ)
- X (ppl74T.cgDdFK)
- Cupid (pommNC.csTgAT)
- X (pINUNU.cbb8AK)
- 私密相册 (pBOnCi.cUVNXz)
- X•GDN (pgkhe9.ckJo4P)
- 迷城 (pCDhCg.cEOngl)
- 小宇宙 (p9Z2Ej.cplkQv)
- X (pDxAtR.c9C6j7)
- 迷城 (pg92Li.cdbrQ7)
- 依恋 (pZQA70.cFzO30)
- 慢夜 (pAQPSN.CcF9N3)
- indus credit card (indus.credit.card)
- Indusind Card (com.rewardz.card)
There is no evidence that these apps are distributed to Google Play. Rather, the main propagation vector involves tricking users into clicking on bogus links sent via messaging apps that redirect unwitting recipients to unofficial app stores.
In one example highlighted by McAfee, the app masquerades as an Indian financial institution to gather users’ sensitive information, including full names, mobile numbers, email addresses, dates of birth, residential addresses, credit card numbers, and government-issued identifiers.
Another app mimics the social media site X to steal contacts, SMS messages, and photos from victim devices. The app primarily targets Chinese-speaking users via third-party websites or alternative app stores.
Besides using encrypted socket communication to transmit harvested data to a command-and-control (C2) server, the malware has been observed including several meaningless permissions to the AndroidManifest.xml file (e.g., “android.permission.LhSSzIw6q”) in an attempt to break analysis tools.
Also used to remain undetected is a technique called multi-stage dynamic loading, which makes use of an XOR-encrypted loader responsible for launching an AES-encrypted payload that, in turn, loads .NET MAUI assemblies designed to execute the malware.
“The main payload is ultimately hidden within the C# code,” Shin said. “When the user interacts with the app, such as pressing a button, the malware silently steals their data and sends it to the C2 server.”
