Cybercriminals have developed sophisticated malware campaigns targeting Android users by exploiting .NET MAUI, a cross-platform development framework, to evade traditional security measures. The research team discovered that these malicious applications target specific demographics, including Indian users with fake banking apps and Chinese-speaking users with social media imitations. The campaigns specifically include a fake IndusInd Bank app targeting Indian users and various fake social media apps resembling X (formerly Twitter) targeting Chinese-speaking users. Unlike conventional Android malware where malicious code resides in Java or native libraries, these threats hide their functionality within blob files located in the assemblies directory. The malware’s ability to hide its malicious code within blob binary files rather than conventional DEX files enables it to bypass many antivirus solutions that focus primarily on analyzing standard components. McAfee researchers noted multiple variants of this malware campaign, noting that the threats primarily spread through unofficial app stores where users are directed via phishing links in messaging groups or text messages. Additional obfuscation techniques include manipulating the AndroidManifest.xml file with excessive random permissions that disrupt automated analysis tools and using encrypted socket communications instead of standard HTTP requests to evade network traffic monitoring. When victims install these apps, they’re prompted to enter personal information including banking credentials, contact details, and other sensitive data, which is then transmitted to attacker-controlled command and control servers. These threats disguise themselves as legitimate banking and social networking applications to harvest sensitive information from unsuspecting users. It decrypts and loads malicious components in three separate stages: first decrypting an XOR-encrypted loader, which then decrypts an AES-encrypted second stage, finally revealing the core .NET MAUI framework with the malicious payload. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 25 Mar 2025 11:20:10 +0000