.NET MAUI Fake Android Apps
Cybersecurity experts have uncovered a new Android malware campaign that exploits Microsoft's .NET Multi-platform App UI (.NET MAUI) framework. Disguised as banking and social media applications, these threatening applications primarily target Indian and Chinese-speaking users and aim to harvest sensitive information.
Table of Contents
What is the .NET MAUI and Why is It being Used?
The .NET MAUI is Microsoft's cross-platform framework for developing native applications using C# and XAML. It evolved from Xamarin, offering developers a streamlined way to create multi-platform applications with a single project while allowing platform-specific code where needed.
Notably, Microsoft officially ended support for Xamarin on May 1, 2024, encouraging developers to transition to the .NET MAUI. Threat actors have quickly adapted, leveraging this framework to develop new Android malware, continuing their trend of refining and evolving attack methods.
How the .NET MAUI Helps Malware Evade Detection
Unlike traditional Android applications, which rely on DEX files and native libraries, the .NET MAUI-based malware stores its core functionalities in C# blob binaries. This makes detection more challenging, as the framework acts as a packer that helps the malware persist undetected on victim devices.
By utilizing the .NET MAUI, cybercriminals gain several advantages:
- Stealth Mode: The corrupted code is hidden within C# binaries, making it harder to analyze.
- Extended Persistence: The malware remains on infected devices longer without triggering security alerts.
- Evasion Tactics: The unconventional architecture allows for bypassing traditional security scans.
Fake Banking & Social Media Applications Identified
Researchers have identified multiple fraudulent apps using the .NET MAUI, collectively referred to as FakeApp. Some of the notable fake applications include:
Fake Banking Applications:
Indus Credit Card (indus.credit.card)
Indusind Card (com.rewardz.card)
Fake Social Media & Utility Applications:
Cupid (pommNC.csTgAT)
X•GDN (pgkhe9.ckJo4P)
迷城 (Míchéng) (pCDhCg.cEOngl)
私密相册 (Private Album) (pBOnCi.cUVNXz)
小宇宙 (Little Universe) (p9Z2Ej.cplkQv)
These applications trick users into installing them, then silently extract and transmit their personal data to an attacker-controlled server.
How Users are being Tricked
Unlike legitimate applications distributed through Google Play, these fake applications rely on deceptive tactics for distribution. Attackers send fraudulent links through messaging applications, leading users to unofficial app stores where they unknowingly download the malware.
For instance:
- A fake banking application impersonates an Indian financial institution to steal users' full names, mobile numbers, credit card details and government-issued IDs.
- A fraudulent social media app mimicking "X" (formerly Twitter) harvests contacts, SMS messages, and photos, targeting Chinese-speaking users.
The Advanced Evasion Techniques Used
To avoid detection, the malware employs multiple sophisticated techniques:
- Encrypted Data Transmission: Harvested data is sent to a Command-and-Control (C2) server using encrypted socket communication.
- Fake Permissions: The malware injects meaningless permissions (e.g., 'android.permission.LhSSzIw6q') into the AndroidManifest.xml file to confuse analysis tools.
- Multi-Stage Dynamic Loading: It utilizes an XOR-encrypted loader to launch an AES-encrypted payload, which then loads the .NET MAUI assemblies containing the actual malware.
- User Interaction Triggers Malicious Actions: The core payload remains hidden in C# code, only activating when the user interacts with the app (e.g., pressing a button). At that point, it silently steals data and transmits it to the C2 server.
How to Stay Safe
Given the increasing sophistication of these attacks, users should take proactive steps to protect themselves:
- Avoid Third-Party App Stores – Only download applications from Google Play or trusted sources.
- Verify Application Permissions – Be cautious of applications requesting unnecessary permissions.
- Stay Alert for Phishing Links – Do not click on suspicious links in messages.
- Use Anti-Malware Software – Install a reliable mobile security solution to detect and remove potential threats.
With cybercriminals continuously evolving their tactics, staying informed and cautious is the best defense against these emerging threats.
