Cybersecurity Firm Finds Rash of Apps Coded With Microsoft .NET MAUI
Cybercriminals are using a Microsoft cross-platform app development framework to create Android malware that bypasses security measures, evades detection and steals user data.
See Also: Future-Proof Your Business: A Comprehensive Guide to Application Modernization and Development for Public and Private Sectors
McAfee researchers say cybercriminals are turning to the computing giant’s newest platform for creating native mobile and desktop apps, .NET MAUI, which rolled out in May 2022. What’s convenient for legitimate app developers – a write once, run anywhere experience – is also good for making malicious software. Malicious apps typically mimic real apps from known sources such as financial institutions, distributing them outside of the Google Play Store through third-party websites or alternative app stores.
One variant identified by McAfee masquerades as a banking application targeting Indian users. Posing as an official IndusInd Bank app, it prompts victims to input sensitive personal and financial details, including names, phone numbers and banking credentials. Another variant, targeting Chinese-speaking users, disguises itself as a social networking service application. This malware is designed to steal contacts, SMS messages and photos from infected devices.
Malicious apps developed with the Microsoft platform spotted by McAfee researchers aren’t traditional Android malware. “Unlike typical malicious apps, there are no obvious traces of harmful code in the Java or native code,” they wrote.
The fake apps observed by McAfee hide malicious code as blob files inside the assemblies directory – that is, they’re hidden as binary large object files buried inside the basic .NET logic unit of functionality, where some antivirus solutions aren’t looking for malware.
Another key technique used to obfuscate their presence from detection is multi-stage dynamic loading. Rather than directly embedding the malicious payload, the hackers load the Android executable file in three separate stages: a loader for a second stage, which exists to obfuscate the real executable, and finally the .NET MAUI-developed malicious code. Each stage is encrypted until it loads.
Hackers also manipulated the AndroidManifest.xml file by adding in an excessive number of permissions that are mainly randomly generated strings, there to cause errors in some analysis tools. The manifest is a mandatory file for Android apps that define the app’s structure, components and requirements.
Another method used to evade security solutions involves replacing standard HTTP requests with encrypted TCP socket connections, preventing security software from intercepting and analyzing the malicious traffic.
Researchers warn that they expect to see more malware made deploying these techniques.