Recent discoveries reveal that new Android malware campaigns are leveraging Microsoft's cross-platform framework, .NET MAUI, to disguise themselves as legitimate applications and avoid detection. This innovative tactic was identified by McAfee's Mobile Research Team, part of the App Defense Alliance, which focuses on enhancing Android security. Although the current targets are users in China and India, the potential for broader targeting exists, and other cybercriminals may soon adopt this method.

Understanding .NET MAUI on Android

Introduced in 2022, .NET MAUI is a C# app development framework by Microsoft, replacing Xamarin and supporting both desktop and mobile platforms. While Android apps are typically developed in Java/Kotlin with code stored in DEX format, .NET MAUI allows for Android app development in C#, storing the app's logic in binary blob files. This presents a challenge for contemporary Android security tools, which are designed to scan DEX files but do not examine blob files, allowing malicious code to remain undetected.

Advantages of Using .NET MAUI

The use of .NET MAUI is particularly effective because C#-based apps and blob files are less common on Android, making them obscure to standard security measures. This approach is more advantageous than the typical method of fetching malicious code post-installation through updates.

  • Multi-layered Encryption: The campaigns employ XOR and AES encryption, along with staged execution, to further obscure their activities.
  • Command-and-Control Communications: A TCP socket is used for C2 communications, enhancing the malware's ability to remain hidden.

Fake Apps and Data Theft

McAfee's report highlights several APKs using the .NET MAUI technique, including fake banking, communication, dating, and social media apps. These apps, such as IndusInd and SNS, are distributed outside of Google Play, often through third-party websites or alternative app stores, especially in regions like China where Google Play access is restricted.

Examples of Data Exfiltration

In one instance, an app impersonates an Indian bank, urging users to provide sensitive personal and financial information, which is then sent to a C2 server. Another app, targeting Chinese-speaking users, attempts to steal contact lists, SMS messages, and photos from the device.

Protecting Against Evasive Malware

To reduce the risk of infection from these sophisticated malware apps, avoid downloading Android APKs from third-party app stores or untrustworthy websites. Refrain from clicking on links received via SMS or email. In regions where Google Play is unavailable, ensure APKs are scanned for malicious signs and only install them from trusted sources. Google Play Protect can detect and block the APKs identified by McAfee, so ensure it is active on your device.

The link has been copied!