Authored by Dexter Shin
Summary
Cybercriminals are consistently evolving their methods to bypass safety measures. Recently, the McAfee Mobile Research Team found malware campaigns abusing .NET MAUI, a cross-platform improvement framework, to evade detection. These threats disguise themselves as authentic apps, focusing on customers to steal delicate info. This weblog highlights how these malware function, their evasion methods, and key suggestions for staying protected.
Background
In current years, cross-platform cell improvement frameworks have grown in recognition. Many builders use instruments like Flutter and React Native to construct apps that work on each Android and iOS. Among these instruments, Microsoft supplies a framework based mostly on C#, known as Xamarin. Since Xamarin is well-known, cybercriminals generally use it to develop malware. We have previously discovered malware associated to this framework. However, Microsoft ended assist for Xamarin in May 2024 and launched .NET MAUI as its substitute.
Unlike Xamarin, .NET MAUI expands platform assist past cell to incorporate Windows and macOS. It additionally runs on .NET 6+, changing the older .NET Standard, and introduces efficiency optimizations with a light-weight handler-based structure as a substitute of customized renderers.
As know-how evolves, cybercriminals adapt as nicely. Reflecting this pattern, we lately found new Android malware campaigns developed utilizing .NET MAUI. These Apps have their core functionalities written completely in C# and saved as blob binaries. This implies that in contrast to conventional Android apps, their functionalities don’t exist in DEX information or native libraries. However, many antivirus options deal with analyzing these parts to detect malicious habits. As a consequence, .NET MAUI can act as a kind of packer, permitting malware to evade detection and stay lively on gadgets for a very long time.
In the next sections, we’ll introduce two Android malware campaigns that use .NET MAUI to evade detection. These threats disguise themselves as authentic providers to steal delicate info from customers. We will discover how they function and why they pose a major danger to cell safety.
Am I protected?
McAfee Mobile Security already detects all of those apps as Android/FakeApp and protects customers from these threats. For extra details about our Mobile Product, go to McAfee Mobile Security.
Technical Findings
While we discovered a number of variations of those malicious apps, the next two examples are used to display how they evade detection.
First off, the place are customers discovering these malicious apps? Often, these apps are distributed via unofficial app shops. Users are usually directed to such shops by clicking on phishing hyperlinks made out there by untrusted sources on messaging teams or textual content messages. This is why we suggest at McAfee that customers keep away from clicking on untrusted hyperlinks.
Example 1: Fake Bank App
The first pretend app we discovered disguises itself as IndusInd Bank, particularly focusing on Indian customers. When a person launches the app, it prompts them to enter private and monetary particulars, together with their identify, cellphone quantity, electronic mail, date of start, and banking info. Once the person submits this information, it’s instantly despatched to the attacker’s C2 (Command and Control) server.
Figure 1. Fake IndusInd Bank app’s display screen requesting person info
As talked about earlier, this isn’t a conventional Android malware. Unlike typical malicious apps, there aren’t any apparent traces of dangerous code in the Java or native code. Instead, the malicious code is hidden inside blob information positioned contained in the assemblies listing.
Figure 2. Blob accommodates malicious code
The following code snippet reveals how the app collects and transmits person information to the C2 server. Based on the code, the app constructions the required info as parameters earlier than sending it to the C2 server.
Figure 3. C# code liable for stealing person information and sending it to the C2 server
Example 2: Fake SNS App
In distinction to the first pretend app, this second malware is much more tough for safety to research. It particularly targets Chinese-speaking customers and makes an attempt to steal contacts, SMS messages, and images from their gadgets. In China, the place entry to the Google Play Store is restricted, such apps are sometimes distributed via third-party web sites or various app shops. This permits attackers to unfold their malware extra simply, particularly in areas with restricted entry to official app shops. 
Figure 4. Distribution web site and pretend X app focusing on Chinese-speaking customers
One of the important thing methods this malware makes use of to stay undetected is multi-stage dynamic loading. Instead of instantly embedding its malicious payload in an simply accessible format, it encrypts and hundreds its DEX information in three separate levels, making evaluation considerably tougher.
In the primary stage, the app’s essential exercise, outlined in AndroidManifest.xml, decrypts an XOR-encrypted file and hundreds it dynamically. This preliminary file acts as a loader for the following stage. In the second stage, the dynamically loaded file decrypts one other AES-encrypted file and hundreds it. This second stage nonetheless doesn’t reveal the core malicious habits however serves as one other layer of obfuscation. Finally, within the third stage, the decrypted file accommodates code associated to the .NET MAUI framework, which is then loaded to execute the primary payload.
Figure 5. Multi-stage dynamic loading
The essential payload is finally hidden throughout the C# code. When the person interacts with the app, similar to urgent a button, the malware silently steals their information and sends it to the C2 server.
Figure 6. C# code liable for stealing photos, contacts, and SMS information
Beyond multi-stage dynamic loading, this malware additionally employs extra methods to make evaluation tougher. One approach is manipulating the AndroidManifest.xml file by including an extreme variety of pointless permissions. These permissions embrace giant quantities of meaningless, randomly generated strings, which may trigger errors in sure evaluation instruments. This tactic helps the malware evade detection by disrupting automated scanners and static evaluation.
Figure 7. AndroidManifest.xml file with extreme random permissions
Another key approach is encrypted socket communication. Instead of utilizing normal HTTP requests, that are simpler to intercept, the malware depends on TCP socket connections to transmit information. This method makes it tough for conventional HTTP proxy instruments to seize community site visitors. Additionally, the malware encrypts the info earlier than sending it, which means that even when the packets are intercepted, their contents stay unreadable.
One extra necessary facet to notice is that this malware adopts numerous themes to draw customers. In addition to the pretend X app, we additionally found a number of relationship apps that use the identical methods. These apps had totally different background photos however shared the identical construction and performance, indicating that they have been seemingly created by the identical developer because the pretend X app. The steady emergence of comparable apps means that this malware is being broadly distributed amongst Chinese-speaking customers.
Figure 8. Various pretend apps utilizing the identical approach
Recommendations and Conclusion
The rise of .NET MAUI-based malware highlights how cybercriminals are evolving their methods to keep away from detection. Some of the methods described embrace:
- hiding code blobs inside assemblies
- multi-stage dynamic loading
- encrypted communications
With these evasion methods, the threats can stay hidden for lengthy intervals, making evaluation and detection considerably tougher. Furthermore, the invention of a number of variants utilizing the identical core methods means that any such malware is changing into more and more frequent.
Users ought to all the time be cautious when downloading and putting in apps from unofficial sources, as these platforms are sometimes exploited by attackers to distribute malware. This is particularly regarding in international locations like China, the place entry to official app shops is restricted, making customers extra weak to such threats.
To sustain with the speedy evolution of cybercriminal techniques, customers are strongly suggested to put in safety software program on their gadgets and maintain it updated always. Staying vigilant and making certain that safety measures are in place may help defend in opposition to rising threats. By utilizing McAfee Mobile Security, customers can improve their gadget safety and detect threats associated to any such malware in real-time.
Glossary of Terms
Indicators of Compromise (IOCs)
APKs:
C2:
- tcp[://]120.27.233.135:1833
- https[://]onlinedeskapi.com
