Ethical Hacking News
A new wave of Android malware has emerged, utilizing Microsoft's .NET MAUI framework to evade detection by traditional security tools. The malicious apps discovered by McAfee target users in China and India and employ sophisticated tactics to bypass detection, including multi-layered encryption, staged execution, and the use of binary blob files. To stay safe, users are advised to avoid downloading APKs from third-party stores and only install them from trusted sites.
A new wave of Android malware has emerged, using Microsoft's .NET MAUI framework to evade detection by traditional security tools. The apps appear as legitimate services but employ a sophisticated tactic to bypass detection by contemporary Android security tools. The attackers use .NET MAUI on Android to conceal malicious code within binary blob files, making it challenging for security experts to identify and neutralize the threats. The malware campaigns target users in China and India, utilizing multi-layered encryption and staged execution among other tactics. The fake apps are often distributed outside Google Play, allowing attackers to spread their malware more easily in regions with limited access to official app stores. Users can minimize the risk of infection by scanning APKs for malicious signs and only installing them from trusted sites.
A new wave of Android malware has emerged, utilizing Microsoft's cross-platform framework .NET MAUI to evade detection by traditional security tools. According to a recent report from McAfee's Mobile Research Team, a member of the App Defense Alliance dedicated to enhancing Android security, this latest malicious campaign targets users in China and India.
The report highlights that the apps, which appear as legitimate services, employ a sophisticated tactic to bypass detection by contemporary Android security tools. By using .NET MAUI on Android, threat actors can conceal malicious code within binary blob files, which are not typically examined by existing security solutions. This approach allows attackers to hide their nefarious intentions, making it challenging for security experts to identify and neutralize the threats.
Launched in 2022, .NET MAUI is an app development framework in C#, introduced by Microsoft as a replacement to Xamarin, supporting both desktop and mobile platforms. Typically, Android apps are written in Java/Kotlin and stored in DEX format, but it's technically possible to use .NET MAUI to build an Android app in C# with the app's logic stored inside binary blob files.
This innovative approach has proven effective for the attackers, as C#-based apps and blob files on Android are relatively obscure. As a result, security tools designed to scan DEX files for suspicious logic do not examine blob files, allowing malicious actors to evade detection by exploiting this vulnerability.
Apart from utilizing .NET MAUI, the campaigns observed by McAfee employ multi-layered encryption (XOR + AES) and staged execution, 'AndroidManifest.xml' file bloating with randomly generated strings, and TCP socket for command-and-control (C2) communications. These tactics, when combined with the use of .NET MAUI, enable threats to remain hidden for extended periods, making analysis and detection significantly more challenging.
The malicious apps discovered by McAfee are fake banking, communication, dating, and social media applications, including X, which appears to be a mock-up of the popular messaging app. These fake services are often distributed outside Google Play, Android's official app store, allowing attackers to spread their malware more easily in regions with limited access to official app stores.
In China, where access to the Google Play Store is restricted, these apps are frequently disseminated through third-party websites or alternative app stores. This makes it easier for attackers to distribute their malware, especially in areas with limited access to legitimate app stores.
The first case, involving an Indian bank, impersonates a legitimate financial institution and prompts users to input sensitive personal and financial information. The exfiltrated data is then transmitted to the C2 server, where it can be exploited by the attackers for malicious purposes.
In contrast, the SNS app, targeting Chinese-speaking users, attempts to steal contact lists, SMS messages, and photos stored on the device. This demonstrates the versatility of the malware, as attackers can use these fake apps to collect a wide range of sensitive information from unsuspecting victims.
To minimize the risk of infection by these evasive malware apps, users are advised to avoid downloading Android APKs from third-party app stores or obscure websites and avoid clicking on links received via SMS or email. If you find yourself in regions where Google Play is unavailable, it is essential to scan APKs for malicious signs and only install them from trusted sites.
Google Play Protect can detect and block the APKs identified by McAfee as part of the latest campaigns, so ensure that this feature is active on your device.
The emergence of .NET MAUI-based Android malware highlights the need for ongoing vigilance in the fight against mobile threats. As attackers continue to evolve their tactics, it is essential for security experts and users alike to stay informed about the latest malicious campaigns and take proactive measures to protect themselves from these evolving threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Android-Malware-Unleashes-NET-MAUI-to-Bypass-Detection-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-android-malware-uses-microsofts-net-maui-to-evade-detection/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-android-malware-campaigns-evading-detection-using-cross-platform-framework-net-maui/
Published: Tue Mar 25 09:05:23 2025 by llama3.2 3B Q4_K_M
