430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Android malware campaigns use .NET MAUI to evade detection

Researchers warn of a new Android malware that uses .NET MAUI to mimic legit services and evade detection. McAfee researchers warn of Android malware campaigns using .NET MAUI to evade detection. These threats disguise themselves as legitimate services to steal sensitive information from users. .NET MAUI (Multi-platform App UI) is a cross-platform framework by Microsoft […]

Android malware

Researchers warn of a new Android malware that uses .NET MAUI to mimic legit services and evade detection.

McAfee researchers warn of Android malware campaigns using .NET MAUI to evade detection. These threats disguise themselves as legitimate services to steal sensitive information from users.

.NET MAUI (Multi-platform App UI) is a cross-platform framework by Microsoft for building native mobile and desktop applications using C#. It allows developers to create apps that run on Android, iOS, Windows, and macOS from a single codebase, streamlining development and maintenance. It replaces Xamarin.Forms and provides a unified UI framework with platform-specific integrations.

Cybercriminals are using .NET MAUI to create Android malware that evades detection by hiding core functions in C# blob binaries instead of traditional DEX files.

McAfee researchers detailed a fake IndusInd Bank app targeting Indian users, stealing personal and banking data via a hidden malicious .NET MAUI payload.

“Unlike typical malicious apps, there are no obvious traces of harmful code in the Java or native code.” reads the report published by McAfee. “Instead, the malicious code is hidden within blob files located inside the assemblies directory. “

Then the collected data is sent to an attacker’s C2 server.

Another malware observed by the experts targets Chinese-speaking users, stealing contacts, SMS, and photos through third-party app stores. It evades detection using multi-stage dynamic loading, encrypting and loading its malicious payload in three steps.

The malware also manipulates AndroidManifest.xml with excessive permissions to disrupt analysis and uses encrypted socket communication to hide stolen data. Disguised as various apps, it is widely distributed across alternative platforms.

“In the first stage, the app’s main activity, defined in AndroidManifest.xml, decrypts an XOR-encrypted file and loads it dynamically. This initial file acts as a loader for the next stage. In the second stage, the dynamically loaded file decrypts another AES-encrypted file and loads it. This second stage still does not reveal the core malicious behavior but serves as another layer of obfuscation. Finally, in the third stage, the decrypted file contains code related to the .NET MAUI framework, which is then loaded to execute the main payload.” continues the report. “The main payload is ultimately hidden within the C# code. When the user interacts with the app, such as pressing a button, the malware silently steals their data and sends it to the C2 server.” 

Cybercriminals are increasingly using .NET MAUI-based malware to evade detection through techniques like hidden code blobs, multi-stage loading, encryption, and obfuscation. The researchers pointed out that these threats can remain undetected for long periods, and their growing prevalence suggests they are becoming more common. Users should avoid unofficial app sources, use security software, and stay updated to protect against evolving cyber threats.

The report includes Indicators of Compromise (IOCs) for these threats.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android malware)