Authored by Dexter Shin
Abstract
Cybercriminals are always evolving their methods to bypass safety measures. Just lately, the McAfee Cellular Analysis Crew found malware campaigns abusing .NET MAUI, a cross-platform improvement framework, to evade detection. These threats disguise themselves as official apps, concentrating on customers to steal delicate data. This weblog highlights how these malware function, their evasion methods, and key suggestions for staying protected.
Background
Lately, cross-platform cellular improvement frameworks have grown in reputation. Many builders use instruments like Flutter and React Native to construct apps that work on each Android and iOS. Amongst these instruments, Microsoft offers a framework based mostly on C#, known as Xamarin. Since Xamarin is well-known, cybercriminals typically use it to develop malware. Now we have beforehand discovered malware associated to this framework. Nonetheless, Microsoft ended help for Xamarin in Could 2024 and launched .NET MAUI as its substitute.
Not like Xamarin, .NET MAUI expands platform help past cellular to incorporate Home windows and macOS. It additionally runs on .NET 6+, changing the older .NET Normal, and introduces efficiency optimizations with a light-weight handler-based structure as an alternative of customized renderers.
As expertise evolves, cybercriminals adapt as effectively. Reflecting this pattern, we just lately found new Android malware campaigns developed utilizing .NET MAUI. These Apps have their core functionalities written solely in C# and saved as blob binaries. Because of this in contrast to conventional Android apps, their functionalities don’t exist in DEX recordsdata or native libraries. Nonetheless, many antivirus options deal with analyzing these parts to detect malicious habits. In consequence, .NET MAUI can act as a kind of packer, permitting malware to evade detection and stay energetic on units for a very long time.
Within the following sections, we are going to introduce two Android malware campaigns that use .NET MAUI to evade detection. These threats disguise themselves as official providers to steal delicate data from customers. We are going to discover how they function and why they pose a big danger to cellular safety.
Am I protected?
McAfee Cellular Safety already detects all of those apps as Android/FakeApp and protects customers from these threats. For extra details about our Cellular Product, go to McAfee Cellular Safety.
Technical Findings
Whereas we discovered a number of variations of those malicious apps, the next two examples are used to show how they evade detection.
First off, the place are customers discovering these malicious apps? Usually, these apps are distributed by unofficial app shops. Customers are sometimes directed to such shops by clicking on phishing hyperlinks made accessible by untrusted sources on messaging teams or textual content messages. For this reason we suggest at McAfee that customers keep away from clicking on untrusted hyperlinks.
Instance 1: Faux Financial institution App
The first faux app we discovered disguises itself as IndusInd Financial institution, particularly concentrating on Indian customers. When a consumer launches the app, it prompts them to enter private and monetary particulars, together with their title, telephone quantity, e mail, date of delivery, and banking data. As soon as the consumer submits this knowledge, it’s instantly despatched to the attacker’s C2 (Command and Management) server.
Determine 1. Faux IndusInd Financial institution app’s display screen requesting consumer data
As talked about earlier, this isn’t a conventional Android malware. Not like typical malicious apps, there are not any apparent traces of dangerous code in the Java or native code. As a substitute, the malicious code is hidden inside blob recordsdata situated contained in the assemblies listing.
Determine 2. Blob accommodates malicious code
The next code snippet reveals how the app collects and transmits consumer knowledge to the C2 server. Based mostly on the code, the app constructions the required data as parameters earlier than sending it to the C2 server.
Determine 3. C# code answerable for stealing consumer knowledge and sending it to the C2 server
Instance 2: Faux SNS App
In distinction to the first faux app, this second malware is much more troublesome for safety to investigate. It particularly targets Chinese language-speaking customers and makes an attempt to steal contacts, SMS messages, and images from their units. In China, the place entry to the Google Play Retailer is restricted, such apps are sometimes distributed by third-party web sites or various app shops. This permits attackers to unfold their malware extra simply, particularly in areas with restricted entry to official app shops. 
Determine 4. Distribution website and faux X app concentrating on Chinese language-speaking customers
One of many key methods this malware makes use of to stay undetected is multi-stage dynamic loading. As a substitute of immediately embedding its malicious payload in an simply accessible format, it encrypts and hundreds its DEX recordsdata in three separate phases, making evaluation considerably tougher.
Within the first stage, the app’s foremost exercise, outlined in AndroidManifest.xml, decrypts an XOR-encrypted file and hundreds it dynamically. This preliminary file acts as a loader for the subsequent stage. Within the second stage, the dynamically loaded file decrypts one other AES-encrypted file and hundreds it. This second stage nonetheless doesn’t reveal the core malicious habits however serves as one other layer of obfuscation. Lastly, within the third stage, the decrypted file accommodates code associated to the .NET MAUI framework, which is then loaded to execute the principle payload.
Determine 5. Multi-stage dynamic loading
The primary payload is in the end hidden inside the C# code. When the consumer interacts with the app, similar to urgent a button, the malware silently steals their knowledge and sends it to the C2 server.
Determine 6. C# code answerable for stealing photographs, contacts, and SMS knowledge
Past multi-stage dynamic loading, this malware additionally employs further methods to make evaluation tougher. One method is manipulating the AndroidManifest.xml file by including an extreme variety of pointless permissions. These permissions embrace giant quantities of meaningless, randomly generated strings, which might trigger errors in sure evaluation instruments. This tactic helps the malware evade detection by disrupting automated scanners and static evaluation.
Determine 7. AndroidManifest.xml file with extreme random permissions
One other key method is encrypted socket communication. As a substitute of utilizing customary HTTP requests, that are simpler to intercept, the malware depends on TCP socket connections to transmit knowledge. This strategy makes it troublesome for conventional HTTP proxy instruments to seize community visitors. Moreover, the malware encrypts the information earlier than sending it, that means that even when the packets are intercepted, their contents stay unreadable.
Another essential side to notice is that this malware adopts numerous themes to draw customers. Along with the faux X app, we additionally found a number of courting apps that use the identical methods. These apps had completely different background photographs however shared the identical construction and performance, indicating that they have been seemingly created by the identical developer because the faux X app. The continual emergence of comparable apps means that this malware is being extensively distributed amongst Chinese language-speaking customers.
Determine 8. Varied faux apps utilizing the identical method
Suggestions and Conclusion
The rise of .NET MAUI-based malware highlights how cybercriminals are evolving their methods to keep away from detection. A few of the methods described embrace:
- hiding code blobs inside assemblies
- multi-stage dynamic loading
- encrypted communications
With these evasion methods, the threats can stay hidden for lengthy durations, making evaluation and detection considerably more difficult. Moreover, the invention of a number of variants utilizing the identical core methods means that such a malware is turning into more and more frequent.
Customers ought to at all times be cautious when downloading and putting in apps from unofficial sources, as these platforms are sometimes exploited by attackers to distribute malware. That is particularly regarding in nations like China, the place entry to official app shops is restricted, making customers extra susceptible to such threats.
To maintain up with the speedy evolution of cybercriminal ways, customers are strongly suggested to put in safety software program on their units and hold it updated always. Staying vigilant and guaranteeing that safety measures are in place can assist defend towards rising threats. By utilizing McAfee Cellular Safety, customers can improve their gadget safety and detect threats associated to such a malware in real-time.
Glossary of Phrases
Indicators of Compromise (IOCs)
APKs:
C2:
- tcp[://]120.27.233.135:1833
- https[://]onlinedeskapi.com
