Researchers from the McAfee Mobile Research Team have discovered that cyber criminals are abusing the .NET MAUI (Multi-platform App User Interface) framework to spread malware. These attackers hide their malicious code in blob files, making it difficult for traditional security solutions to detect the malware.
.NET MAUI is the successor to the Xamarin, which is based on the C# programming language. The former is already popular among users of Flutter and React Native for building iOS and Android apps. Support has now been extended to Windows and macOS. All of that sounds positive, but .NET MAUI also proves effective at concealing malware.
Hidden in blob files
The researchers discovered that the malware campaigns write their core functionalities entirely in C# and save them as blob-binaries. Unlike traditional Android apps, the functionality is not located in DEX files or native libraries. Antivirus solutions often only look at these components to detect malware. Research from mid-2024 revealed that more than half of all phishing attacks manage to bypass all existing security layers, so this is not a new phenomenon.
Examples of attacks
McAfee describes two examples of this malware. The first is a fake banking app. It poses as IndusInd Bank and therefore targets Indian users. When users enter personal and financial data, it is sent directly to the attacker.
The second example is a so-called social media app aimed at Chinese-speaking users. This malware uses a more complex approach. McAfee refers to multi-stage dynamic loading, in which each stage prepares the loader for the next step. The app steals contacts, text messages and photos from the victim’s device and sends them to the attackers via encrypted socket communication.
Advanced evasion techniques
In addition to hiding code in blob files, the malware studied by McAfee uses multiple techniques to avoid detection:
A second malware variant loads its malicious payload in three separate stages, with each stage decrypting a new encrypted component. In addition, the malware manipulates the AndroidManifest.xml file by adding a huge number of unnecessary permissions with randomly generated strings, which causes errors in certain analysis tools. In this way, it disrupts the software scanners that have already been misled.
Protection against these threats
According to McAfee, their Mobile Security product detects these apps as Android/FakeApp. The company advises users not to download apps from unofficial sources and not to click on unreliable links. In addition, it praises itself as a lifesaver; for the time being, the damage is regional in nature, but the risk could easily spread beyond India and China.
If that happens, organizations here will have to batten down the hatches again. Without training, a third of Europeans get found out by phishing attacks.