The new Android malware campaigns use the MultiplateForm framework for Microsoft .NET MAUI while disguising legitimate services to escape detection.
The tactics were observed by the McAfee mobile research team, a member of the App Defense Alliance dedicated to improving Android safety.
Although MCAFEE applications have observed target users in China and India, it is important to discover attacks because the targeting range could widen, and the same tactic can be adopted by other cybercriminals soon.
Use of .Net MAUI on Android
Launched in 2022, .NET MAUI is an application development framework in C #, introduced by Microsoft to replace Xamarin, supporting office and mobile platforms.
As a general rule, Android applications are written in Java / Kotlin and store the code in Dex format, but it is technically possible to use .NET MAUI to create an Android application in C # with the logic of the application stored in binary binary files.
Contemporary Android safety tools are designed to scan Dex files for suspicious logic and do not examine the Blob files. This allows threat actors to hide the malicious code in the Blobs and bypass the detection.
This approach is even more preferable than recovery of the malicious code after installation via updates, which is the standard tactic with most Android malware these days.
In this case, the tactics are effective because the applications based on C # and the Blob files on Android are obscure.
In addition to using .NET MAUI, the campaigns observed by MCAFFEE use multilayer encryption (XOR + AES) and a staged execution, the `AndroidManifest.xml ” file with randomly generated channels, and the TCP socket for control and control communications (C2).
“With these escape techniques, threats can remain hidden for long periods, which makes analysis and detection much more difficult” warns McAfee.
“In addition, the discovery of several variants using the same basic techniques suggests that this type of malware becomes more and more common.”
False applications X fly data
McAfee discovered several APKs in its report as part of the campaigns using .NET MAUI technique, including false banking, communication, meetings and social media applications such as X.
Source: McAfee
Researchers have used two applications as examples, Industry and SNS, which are distributed outside of Google Play, the official Android App Store.
“In China, where access to Google Play Store is restricted, these applications are often distributed via third -party websites or alternative application stores,” explains McAfee.
“This allows attackers to disseminate their malware more easily, especially in regions with limited access to official application stores.”
In the first case, the application pretends to be an Indian bank, encouraging users to enter sensitive personal and financial information and to the exfiltant to the C2 server.
Source: McAfee
In the case of the SNS application, which targets Chinese users, the application tries to steal contact lists, SMS messages and photos stored on the device.
Source: McAfee
To minimize the risk of infection by these evasive malware applications, avoid downloading Android APK from third-party application stores or dark websites and avoid clicking on the links received by SMS or by email.
If you are in regions where Google Play is not available, scan APKs for malicious signs and only install them from trusted sites.
Google Play Protect can detect and block the Apks McAfee identified as part of the latest campaigns, so make sure it is active on your device.
