do son 
Cybercriminals are constantly seeking new ways to bypass security measures, and a recent report from McAfee Labs reveals a disturbing trend: the use of the .NET MAUI cross-platform framework to create Android malware that evades detection. Security researcher Dexter Shin at McAfee Labs uncovered these campaigns.
Cross-platform mobile development frameworks like Flutter and React Native have become increasingly popular, allowing developers to build apps for both Android and iOS. Microsoft’s Xamarin framework, based on C#, has also been used in the past for malware development.
However, Microsoft has phased out Xamarin, replacing it with .NET MAUI, which expands support to include Windows and macOS. Cybercriminals are adapting to this shift, as McAfee Labs has discovered new Android malware campaigns developed using .NET MAUI.
These new malware campaigns employ sophisticated evasion techniques to avoid detection by antivirus solutions. A key method is that the malware has its core functionalities written entirely in C# and stored as blob binaries. This is unlike traditional Android apps that have their functionalities in DEX files or native libraries. Since many antivirus solutions focus on analyzing these components, .NET MAUI acts as a “packer,” allowing the malware to evade detection.
The report details two examples of Android malware campaigns using .NET MAUI:
- Fake Bank App: This app disguises itself as an Indusind Bank app, targeting Indian users to steal personal and financial details.
- Fake SNS App: This malware targets Chinese-speaking users, attempting to steal contacts, SMS messages, and photos. It employs multi-stage dynamic loading, encrypting and loading DEX files in three separate stages to further evade detection.
Beyond hiding code in blob files and multi-stage dynamic loading, the malware uses other techniques to hinder analysis and detection:
- Manipulating the AndroidManifest.xml file by adding excessive, randomly generated permissions to disrupt analysis tools.
- Using encrypted socket communication instead of standard HTTP requests to make network traffic analysis more difficult.
- Adopting various themes to attract users, such as fake dating apps, indicating widespread distribution.
The report emphasizes the importance of user vigilance and robust security measures to combat these evolving threats. Key recommendations include:
- Downloading and installing apps only from official app stores.
- Installing and maintaining up-to-date security software on devices.
