Hackers Use .NET MAUI to Spread Fake Banking and Social Apps Targeting Indian and Chinese Users

Introduction

Cybersecurity researchers have uncovered a new Android malware campaign that uses Microsoft’s .NET MAUI (Multi-platform App UI) framework to create fake banking and social media apps, specifically targeting Indian and Chinese-speaking users. These bogus apps aim to steal sensitive information, including financial data, personal details, and device content.

The campaign, dubbed FakeApp, showcases how cybercriminals are leveraging cross-platform frameworks like .NET MAUI to create highly adaptable and evasive malware.

How the Attack Works

The attackers create malicious Android apps using .NET MAUI, disguising them as legitimate financial or social media applications. These apps are not distributed via Google Play Store but instead spread through:

• Phishing links sent via messaging apps (WhatsApp, WeChat, etc.)
• Third-party app stores
• Fake websites designed to mimic authentic services

Once installed, these apps perform data harvesting and transmit the stolen information to Command-and-Control (C2) servers.

Technical Details of the Malware

1. Use of .NET MAUI for Android Malware

.NET MAUI is Microsoft’s cross-platform framework used for creating native apps with a single codebase. It allows the development of applications compatible with:

• Windows
• Android
• iOS
• macOS

Attackers are exploiting .NET MAUI’s capabilities to create malware-laden apps that target Android users, primarily in India and China.

2. Evasion Techniques

The malware uses advanced evasion techniques to remain undetected:

• Core functionalities written in C#: Instead of using traditional DEX files (Android’s Dalvik Executable), the malware stores its core functions in C# blob binaries, making it harder for security tools to detect.
• Multi-stage dynamic loading: The malware uses an XOR-encrypted loader to launch an AES-encrypted payload, which eventually loads the .NET MAUI assemblies to execute malicious commands.
• Fake permissions: The malware adds meaningless permissions in the AndroidManifest.xml file (e.g., android.permission.LhSSzIw6q) to confuse analysis tools.
• Encrypted communication: It uses encrypted socket connections to transmit stolen data to C2 servers, further obfuscating its activities.

3. Data Theft and C2 Communication

Once installed, the malware apps silently steal sensitive data, including:

• Full names, dates of birth, and addresses
• Mobile numbers and email IDs
• Credit card details and bank information
• Contacts, SMS messages, and photos
• Device metadata (IMEI, location, and installed apps)

The stolen data is sent to C2 servers using encrypted socket communication, making detection and interception difficult.

FakeApp: The Malicious Apps

The FakeApp campaign includes multiple fake applications, with deceptive package names to mimic legitimate apps. Some of the identified fake apps include:

Fake Banking Apps:

• indus.credit.card – Mimics a financial service to steal payment details.
• com.rewardz.card – Poses as a credit card reward app to gather financial information.

Fake Social Media Apps:

• X (pkPrIg.cljOBO) – Mimics X (formerly Twitter) to steal contacts and SMS messages.
• 迷城 (pCDhCg.cEOngl) – A Chinese app that harvests user data.
• Cupid (pommNC.csTgAT) – A fake dating app designed for data harvesting.
• 小宇宙 (p9Z2Ej.cplkQv) – Targets Chinese users, stealing contacts and device content.
• 私密相册 (pBOnCi.cUVNXz) – Disguised as a photo album app but functions as spyware.

Targeted Distribution Tactics

The attackers primarily target Indian and Chinese-speaking users by:

• Spreading fake banking apps through malicious links sent via SMS, email, and messaging apps.
• Using counterfeit social media apps distributed via third-party app stores.
• Mimicking local financial institutions to gain the trust of victims.
• Masquerading as social media platforms, luring Chinese users into installing fake apps that extract sensitive data.

Impact and Risks

The FakeApp campaign poses a significant cybersecurity threat, leading to:

• Financial losses: Stolen banking credentials enable attackers to conduct unauthorized transactions.
• Identity theft: Harvested personal information can be used for identity fraud.
• Privacy breaches: Stolen SMS, photos, and contacts compromise users’ privacy.
• Device compromise: The malware enables persistent remote access, allowing attackers to execute commands on infected devices.

Mitigation and Protection Tips

To avoid falling victim to these malicious apps, users should:

1. Download apps only from trusted sources: Avoid third-party app stores and stick to Google Play Store and Apple App Store.
2. Verify app authenticity: Check app reviews, developer details, and permissions before installation.
3. Avoid clicking on suspicious links: Do not open links from unknown senders or unverified sources.
4. Enable device security settings: Use Play Protect and device encryption for added protection.
5. Use mobile security solutions: Install reliable antivirus software to detect and block malware.
6. Regularly update devices: Keep Android OS and apps updated with the latest security patches.
7. Revoke unnecessary app permissions: Review and restrict app permissions to minimize exposure.

Conclusion

The FakeApp malware campaign demonstrates how hackers are leveraging .NET MAUI to create cross-platform malicious apps targeting Indian and Chinese-speaking users. By distributing fake banking and social media apps, attackers aim to steal sensitive data and compromise user privacy.

To stay protected, users should avoid downloading apps from untrusted sources, verify app authenticity, and use robust security solutions.

Stay alert, stay secure!