A recent discovery by the McAfee Mobile Research Team has highlighted a new wave of Android malware campaigns that utilize the .NET MAUI cross-platform framework to evade detection.
This framework, introduced by Microsoft as a replacement for Xamarin, allows developers to build applications for multiple platforms, including Android, iOS, Windows, and macOS.
However, cybercriminals have adapted this technology to create sophisticated malware that disguises itself as legitimate apps, targeting users to steal sensitive information.
Evasion Techniques and Malware Operations
The malware campaigns exploit the fact that many antivirus solutions focus on analyzing traditional Android components like DEX files and native libraries.
Since .NET MAUI apps store their core functionalities in C# code within blob binaries, these malicious apps can remain undetected for extended periods.
Two notable examples of these campaigns include a fake IndusInd Bank app targeting Indian users and a fake social networking app targeting Chinese-speaking users.
The fake bank app prompts users to input personal and financial details, which are then sent to the attackers’ Command and Control (C2) server.
The fake social networking app employs multi-stage dynamic loading and encrypted communications to steal contacts, SMS messages, and photos.
The fake social networking app is particularly challenging for security software to analyze due to its use of multi-stage dynamic loading.
This involves decrypting and loading files in three stages, with the final stage executing the malicious payload hidden within the C# code.
Additionally, the app manipulates the AndroidManifest.xml file by adding excessive, meaningless permissions, which can disrupt automated analysis tools.
The malware also uses encrypted socket communication, making it difficult for traditional HTTP proxy tools to intercept network traffic.
Recommendations for Protection
According to the Report, To protect against these evolving threats, users are advised to exercise caution when downloading apps from unofficial sources.
Installing and regularly updating security software, such as McAfee Mobile Security, can help detect and block these malicious apps.
McAfee’s security solutions already identify these threats as Android/FakeApp, providing users with real-time protection.
As cybercriminal tactics continue to evolve, staying vigilant and maintaining robust security measures are crucial for safeguarding personal data and devices.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free
