McAfee researchers have discovered traces of new malware targeting Android smartphones. The virus stands out by exploiting .NET MAUI (Multi-platform App UI), a cross-platform framework developed by Microsoft to create native mobile and desktop applications. Launched in 2022, the development framework replaces Xamarin, another framework acquired by Microsoft in 2016, but whose support ended last year.
To use the framework in their attacks, hackers will develop a malicious Android application using the C# programming language and NET MAUI. They will store the application code in the form of BLOB (Binary Large Object) files, which is unusual.
Hackers trick Android security
This trick allows you to bypass the security tools implemented by Google in the operating system. Indeed, Android is not programmed to analyze an application's BLOB files. This is why cybercriminals will hide the malicious payload, and fraudulent features, in BLOB files. It is in these binary files that the malware is located. As a result, Google is unable to detect any suspicious activity. The app can find its way to the Play Store, where it can find a sea of potential victims. It can also be installed as an APK, without raising a red flag on Android.
Furthermore, hackers use a veritable arsenal of tactics to remain undetected. McAfee cites encryption algorithms, shuffling app data, multi-stage execution, and adding unnecessary random strings to certain essential files. These tricks help to cover their tracks and complicate detection. With "these evasion techniques, threats can remain hidden for long periods of time, making analysis and detection much more difficult," McAfee explains.
Researchers have discovered several types of malicious applications exploiting NET MAUI, including fake banking, dating, and communication apps. Experts also pinpoint several fraudulent versions of X, the social network formerly known as Twitter. Cybercriminals spread their fake applications "via third-party websites or alternative app stores." These threats “disguise themselves as legitimate applications, targeting users to steal sensitive information”.
Massive Data Theft
Once installed on the target's smartphone without Play Protect's knowledge, the application will request login credentials, such as passwords. This sensitive data is exfiltrated and sent to remote servers in the hackers' possession. In the case of banking credentials, the scammers will be able to log into the account to carry out transactions without the victim's knowledge. In the process, some apps collect all of the target's SMS messages, likely in the hope of intercepting login codes for two-factor authentication.
So far, the malicious apps have primarily targeted Internet users residing in China and India. McAffe has notably discovered copies of apps from several Indian banks. However, it is likely that the tactic will spread quickly to the rest of the world.
As always, we recommend never downloading an app whose origin you do not know. Before installing an app, take the time to read reviews and check who developed it. These simple steps often help spot scams, and avoid very bad surprises.
Source: McAfee
0 Comments