Cybersecurity researchers pay attention to the malicious Android software that uses the Microsoft Multi-Platform App UI (.NET MAUI) to create fictitious banking and social media applications focused on Indian and Chinese users.
“These threats are masked as legitimate applications, focusing on users to theft of secret information,” McAfee Labs Dexter Shin researcher – Note.
.NET MAUI – Microsoft’s Cross -Platform desktop and mobile app To create native applications using C# and Xaml. It is an evolution of Xamarin, with additional opportunities not only to create multi -platform applications using one project, but also included with the source code characteristic of the platform as needed.
It is worth noting that the official support of Xamarin ended on May 1, 2024With the technological giant calling on developers to move to .Net Maui.
While malicious Android software implemented by Xamarin was found in the pastRecent development signals that threatening subjects continue to adapt and clarify their tactics by developing new malware using .Net Maui.
“These applications have their basic features written completely in C# and stored as binary files,” Tire said. “This means that unlike traditional Android applications, their functionality does not exist in the DEX or Native Library files.”
This gives a new advantage for the threat to actors in that .Net Maui acts as a package, which allows malicious artifacts to avoid detection and stored on the victim’s device over a long period of time.
Examples Android based on .Net Maui, collectively named Fakepp, and related packages names are given below –
- X (PKPRIG.CLJOBO)
- Mystery (PCDHCG.CEONGL)
- X (pdhe3s.cxbdxz)
- X (ppl74t.cgddfk)
- Cupid (pommnc.cstgat)
- X (Pinunu.cbb8ak)
- Private Album (Pbonci.cuvnx)
- X • GDN (Pgkhe9.ckjo4)
- Mystery (PCDHCG.CEONGL)
- A small universe (p9z2ej.cplkqv)
- X (pdxatr.c9c6j7)
- Mystery (PG92LI.CDBRQ7)
- Attachment (pzqa70.cfzo30)
- Slow night (paqpsn.ccf9n3)
- Credit card indus (indus.credit.card)
- Map Indusind (com.rewardz.card)
There is no evidence that these applications are distributed to Google Play. Rather, the main vector of distribution involves the deception of users to press on the dummy links sent through the messaging applications that redirect involuntary recipients into unofficial app stores.
In one examples highlighted by McAfee, the application is disguised as an Indian financial institution to collect confidential information information, including full names, mobile phone numbers, email addresses, residential, credit card numbers and identifiers issued by the state.
Another application imitates the Social Media X website to steal contacts, SMS messages and photos from the victim devices. The application primarily focuses on Chinese users through the sites of other manufacturers or alternative applications stores.
In addition to the use of encrypted communication with sockets to transfer the collected data to the team server and control (C2), malicious software is observed, including several meaningless permissions to the Androidmanifest.xml file (for example, “Android.permission.lhssziw6q”) in an effort to break the tool analysis.
Also used is not a detected technique called multi-stage dynamic load, which uses the Xor-resistant loader, which is responsible for launching the registered AES, which in turn loads build .Net Maui designed to perform malicious programs.
“The main useful load is ultimately hidden in the code C#,” Tire said. “If the user interacts with the app, for example, press the button, malicious software silently steals their data and sends them to the C2 server.”
