Ethical Hacking News
Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps
A new malware campaign has been uncovered that utilizes Microsoft's .NET Multi-platform App UI (MAUI) framework to create malicious banking and social media applications. The campaign specifically targets Indian and Chinese-speaking users, exploiting their linguistic and cultural preferences to trick them into installing the malware. Learn more about this sophisticated threat in our latest article.
The THN has uncovered a novel malware campaign called "FakeApp" that leverages Microsoft's .NET MAUI framework to create convincing yet malicious banking and social media applications.The campaign specifically targets Indian and Chinese-speaking users, exploiting their linguistic and cultural preferences to trick them into installing the malware.The use of .NET MAUI in this campaign represents an evolution of Xamarin, with added capabilities to create multi-platform apps using a single project.The malware utilizes C# and packer features to evade detection and persist on victim devices for extended periods of time.The main payload steals user data and sends it to a command-and-control (C2) server, designed to remain undetected.The campaign uses multi-stage dynamic loading techniques to evade detection and persist on victim devices.
THN has uncovered a novel malware campaign that leverages Microsoft's .NET Multi-platform App UI (.NET MAUI) framework to create convincing, yet malicious, banking and social media applications. The campaign, which has been deemed "FakeApp" by cybersecurity researchers, is specifically tailored to target Indian and Chinese-speaking users, exploiting their linguistic and cultural preferences to trick them into installing the malware.
The use of .NET MAUI in this campaign is a significant development, as it represents an evolution of Xamarin, with added capabilities to create multi-platform apps using a single project. Official support for Xamarin ended on May 1, 2024, prompting Microsoft to urge developers to migrate to .NET MAUI. However, threat actors have adapted and refined their tactics by developing new malware utilizing this framework.
The FakeApp campaign consists of several malicious applications, each with its core functionalities written entirely in C# and stored as blob binaries. This approach allows the malware to evade detection and persist on victim devices for extended periods of time, owing to .NET MAUI's packer feature. The malicious artifacts are launched through an XOR-encrypted loader, which subsequently loads AES-encrypted payloads containing the actual malware.
According to McAfee Labs researcher Dexter Shin, the main payload is ultimately hidden within the C# code, and when a user interacts with the app, such as pressing a button, the malware silently steals their data and sends it to the command-and-control (C2) server. This indicates that the malware has been designed to remain undetected, using meaningless permissions in the AndroidManifest.xml file to break analysis tools.
The FakeApp campaign is particularly noteworthy due to its use of multi-stage dynamic loading, which involves an XOR-encrypted loader responsible for launching the AES-encrypted payload. The payload itself is designed to execute .NET MAUI assemblies containing the actual malware. This technique allows the threat actors to evade detection and persist on victim devices.
The specific package names used in the FakeApp campaign have been listed below:
X (pkPrIg.cljOBO)
迷城 (pCDhCg.cEOngl)
X (pdhe3s.cXbDXZ)
X (ppl74T.cgDdFK)
Cupid (pommNC.csTgAT)
X (pINUNU.cbb8AK)
私密相册 (pBOnCi.cUVNXz)
X•GDN (pgkhe9.ckJo4P)
迷城 (pCDhCg.cEOngl)
小宇宙 (p9Z2Ej.cplkQv)
X (pDxAtR.c9C6j7)
迷城 (pg92Li.cdbrQ7)
依恋 (pZQA70.cFzO30)
慢夜 (pAQPSN.CcF9N3)
indus credit card (indus.credit.card)
Indusind Card (com.rewardz.card)
It is essential to note that these apps are not distributed through official channels, such as Google Play Store. Instead, the main propagation vector involves tricking users into clicking on bogus links sent via messaging apps that redirect unwitting recipients to unofficial app stores.
The FakeApp campaign demonstrates a sophisticated and adaptive approach to malware development, with threat actors leveraging Microsoft's .NET MAUI framework to create convincing yet malicious applications. This highlights the need for continued vigilance and awareness among users, particularly those targeting Indian and Chinese-speaking users, who are being targeted by this specific campaign.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Utilize-NET-MAUI-to-Craft-Sophisticated-Malware-Campaign-Targeting-Indian-and-Chinese-Users-ehn.shtml
https://thehackernews.com/2025/03/hackers-use-net-maui-to-target-indian.html
Published: Tue Mar 25 05:08:49 2025 by llama3.2 3B Q4_K_M
