Android Malware Exploits .NET MAUI to Target Banking and Social Media Users
Cybersecurity researchers have identified a new Android malware campaign that leverages Microsoft’s .NET Multi-platform App UI (.NET MAUI) framework to create fraudulent banking and social media applications. These malicious apps primarily target users in India and Chinese-speaking regions.
“These threats disguise themselves as legitimate apps, tricking users into sharing sensitive information,” explained Dexter Shin, a researcher at McAfee Labs.
.NET MAUI is Microsoft’s cross-platform framework for developing desktop and mobile applications using C# and XAML. It builds on Xamarin’s capabilities, allowing developers to create multi-platform apps within a single project while incorporating platform-specific code when needed. With official support for Xamarin ending on May 1, 2024, Microsoft has encouraged developers to transition to .NET MAUI.
Although Android malware built with Xamarin has been identified before, this latest wave of threats suggests that cybercriminals are actively adapting by using .NET MAUI to refine their attack strategies.
Unlike traditional Android apps, which store functionalities in DEX files or native libraries, these malicious .NET MAUI-based apps have their core functions written entirely in C# and stored as blob binaries. This allows .NET MAUI to act as a packer, helping malicious code evade detection and persist on infected devices for extended periods.
The .NET MAUI-based Android apps, collectively codenamed FakeApp, and their associated package names are listed below –
- X (pkPrIg.cljOBO)
- 迷城 (pCDhCg.cEOngl)
- X (pdhe3s.cXbDXZ)
- X (ppl74T.cgDdFK)
- Cupid (pommNC.csTgAT)
- X (pINUNU.cbb8AK)
- 私密相册 (pBOnCi.cUVNXz)
- X•GDN (pgkhe9.ckJo4P)
- 迷城 (pCDhCg.cEOngl)
- 小宇宙 (p9Z2Ej.cplkQv)
- X (pDxAtR.c9C6j7)
- 迷城 (pg92Li.cdbrQ7)
- 依恋 (pZQA70.cFzO30)
- 慢夜 (pAQPSN.CcF9N3)
- indus credit card (indus.credit.card)
- Indusind Card (com.rewardz.card)
There is no evidence that these apps have been distributed via Google Play. Instead, attackers trick victims into clicking on malicious links shared through messaging apps, which redirect them to unofficial app stores.
One example observed by McAfee involves an app impersonating an Indian financial institution to steal sensitive user data, including names, phone numbers, email addresses, birthdates, home addresses, credit card details, and government-issued identifiers.
Another fraudulent app mimics the social media platform X, designed to steal contacts, SMS messages, and photos from infected devices. This version primarily targets Chinese-speaking users through third-party websites and alternative app stores.
To avoid detection, the malware employs encrypted socket communication to transmit stolen data to a command-and-control (C2) server. Additionally, it includes several meaningless permissions in the AndroidManifest.xml file—such as "android.permission.LhSSzIw6q"—to confuse analysis tools.
The malware also utilizes a technique known as multi-stage dynamic loading, which involves an XOR-encrypted loader that launches an AES-encrypted payload. This payload, in turn, loads .NET MAUI assemblies designed to execute the malware.
“The core payload is concealed within the C# code,” Shin explained. “When users interact with the app, such as pressing a button, the malware silently steals their data and transmits it to the C2 server.”
This campaign highlights how cybercriminals continue to evolve their tactics, making it increasingly important for users to remain vigilant and only download apps from trusted sources.
