- Mcafee found hackers using .net Maui to hide the malicious code in Android applications
- Applications are being distributed through unofficial application stores and phishing messages
- The goal of malware is to steal data
Cybercriminals are abusing a legitimate Windows tool to create android malicious applications and steal their confidential information, they said.
McAFEE security researchers showed two examples trapped in nature, claiming that an unknown threat actor was abusing .net Maui, a multiplatform development framework to create Android malware capable of evading detection.
“These threats disguise themselves as legitimate applications, pointing to users to steal confidential information,” says the report.
Phishing and False Applications Stores
Mcafee explained multiple ways in which .net Maui was used to avoid security protections, McAfee explained.
On the one hand, the attackers were hiding the dangerous code within a hidden storage area (BLOB files) where most antivirus programs are generally not seen.
Then, they used a dynamic load of several stages (the applications were carrying small pieces of code one at the same time, deciphering them as they advance), to hinder the security software to discover what was happening.
In addition, they added unnecessary configurations and permits in the application files to confuse safety scanners, and instead of using normal Internet applications that security tools can monitor, these false applications use encrypted messages and direct connections to send stolen data to computer pirates.
Malicious applications were not present at any of the good reputation applications, such as Google Play Store. Instead, they were found in “unofficial” application stores, to which victims are redirected through phishing links and similar scams.
Among the malicious applications, Mcafee discovered a false bank application and a false SNS application addressed to the Chinese -speaking community.
Both applications had the task of silently stealing the data and exfiltrating them to the C2 server owned by the attacker.
As usual, the best way to defend against such threats is to download only official repository applications, and even then be careful, read reviews and other reports.
