New Android malware uses Microsoft’s .NET MAUI to evade detection

New Android malware campaigns use Microsoft’s cross-platform framework .NET MAUI while disguising as legitimate services to evade detection.

The tactic was observed by McAfee’s Mobile Research Team, a member of the App Defense Alliance dedicated to enhancing Android security.

Although the apps McAfee observed target users in China and India, uncovering the attacks is important as the targeting scope could broaden, and the same tactic may be adopted by other cybercriminals soon.

Using .NET MAUI on Android

Launched in 2022, .NET MAUI is an app development framework in C#, introduced by Microsoft as a replacement to Xamarin, supporting both desktop and mobile platforms.

Typically, Android apps are written in Java/Kotlin and store the code in DEX format, but it’s technically possible to use .NET MAUI to build an Android app in C# with the app’s logic stored inside binary blob files.

Contemporary Android security tools are designed to scan DEX files for suspicious logic and do not examine blob files. This allows threat actors to hide malicious code in the blobs and bypass detection.

This approach is even more preferable than fetching malicious code post-installation via updates, which is the standard tactic with most Android malware nowadays.

In this case, the tactic is effective because C#-based apps and blob files on Android are obscure.

Apart from using .NET MAUI, the campaigns observed by McAffee use multi-layered encryption (XOR + AES) and staged execution, ‘AndroidManifest.xml’ file bloating with randomly generated strings, and TCP socket for command-and-control (C2) communications.

“With these evasion techniques, the threats can remain hidden for long periods, making analysis and detection significantly more challenging,” warns McAfee.

“Furthermore, the discovery of multiple variants using the same core techniques suggests that this type of malware is becoming increasingly common.”

Fake X apps steal data

McAfee discovered several APKs in its report as part of the campaigns using the .NET MAUI technique, including fake banking, communication, dating, and social media apps such as X.

The researchers used two apps as examples, IndusInd and SNS, which are distributed outside Google Play, Android’s official app store. 

“In China, where access to the Google Play Store is restricted, such apps are often distributed through third-party websites or alternative app stores,” explains McAfee.

“This allows attackers to spread their malware more easily, especially in regions with limited access to official app stores.”

In the first case, the app impersonates an Indian bank, prompting users to input sensitive personal and financial information, and exfiltrating it to the C2 server.

In the SNS app case, which targets Chinese-speaking users, the app attempts to steal contact lists, SMS messages, and photos stored on the device.

To minimize the risk of infection by these evasive malware apps, avoid downloading Android APKs from third-party app stores or obscure websites and avoid clicking on links received via SMS or email.

If you are in regions where Google Play is unavailable, scan APKs for malicious signs and only install them from trusted sites.

Google Play Protect can detect and block the APKs McAfee identified as part of the latest campaigns, so ensure it’s active on your device.