Cybersecurity researchers have uncovered a disturbing Android malware campaign exploiting Microsoft’s .NET Multi-platform App UI (MAUI) framework. The malware primarily targets Indian and Chinese-speaking users, disguising itself as legitimate banking and social media apps. McAfee Labs researchers reported that the primary aim of these threats is to steal sensitive user data, such as full names, mobile numbers, credit card details, and government-issued identifiers. These apps, while appearing legitimate, are in fact designed to secretly collect and transmit personal information to cybercriminals.
What sets these threats apart from traditional Android malware is the use of .NET MAUI to build malicious apps that store their core functionalities in C# blob binaries rather than in DEX files or native libraries. This method allows the malicious code to bypass many conventional antivirus solutions, making it more difficult to detect. The malware uses encrypted socket communication to securely transmit the stolen data to command-and-control (C2) servers.
Further complicating the detection process and allowing the malware to persist undetected for longer periods.
McAfee Labs highlighted some of the specific fake apps, including one that impersonates the Indian financial institution IndusInd Bank and another that mimics the social media platform X. These apps are not distributed through official app stores but are instead propagated through third-party platforms, messaging links, or unofficial app stores, targeting regions where users are more likely to download apps from unverified sources.
These apps silently steal sensitive information such as personal banking details, contacts, SMS messages, and photos, posing significant security risks for the affected users.
The malware employs advanced evasion techniques such as multi-stage dynamic loading and the manipulation of the AndroidManifest.xml file. The malicious code is hidden within several layers of encrypted files, with each stage progressively revealing the next, making it challenging for security researchers to analyze the app. By obfuscating its true intentions, the malware avoids detection, increasing the likelihood of prolonged infections.
McAfee researchers urge users to remain cautious when downloading apps from unofficial sources and to use up-to-date security software to protect against these evolving and increasingly sophisticated cyber threats. The report also includes Indicators of Compromise (IOCs) to help users and organizations identify these threats.
