A new form of Android malware has been discovered this week, using Microsoft’s .NET MAUI framework to evade traditional security detection. Disguised as legitimate services, such as banking and social media apps targeting Indian and Chinese-speaking users, the malware aims to steal sensitive information.
Experts from McAfee’s Mobile Research Team state that, although the malware is currently focused on China and India, other cybercriminal groups could easily adopt this technique to target a wider range of users globally.
>>>BVSM-340 Replacement Battery for Vsmart Star 4
.NET MAUI’s Hidden Danger: Bypassing Security
Microsoft introduced .NET MAUI in 2022 as a framework designed to simplify app development across both desktop and mobile platforms using C#, replacing the now-retired Xamarin tool. The framework’s purpose is to make cross-platform app development more seamless and efficient.
Traditionally, Android apps are developed using Java or Kotlin, with the resulting code stored in DEX (Dalvik Executable) files. These DEX files are closely scrutinized by Android’s security systems for any signs of suspicious code. However, .NET MAUI allows developers to build Android apps with C#, and this results in the app’s code being stored in binary “blob” files.
The Blob Advantage: Malware’s Evolving Tactics
These Binary Large Object (BLOB) files are essentially raw data chunks that do not follow a standardized file structure. The problem is that many Android security tools, designed to scan DEX files, fail to examine the inner contents of these BLOB files. As a result, a significant security blind spot is created, allowing malware to be hidden inside the blob without detection.
For cybercriminals, embedding malicious code directly into these blob files is more efficient than waiting to deploy it through updates. This format allows for stealthy, immediate attacks that are much harder to detect.
>>>ER6 Replacement Battery for Maxell ER6
McAfee warns that with these evasion techniques, malware can remain hidden for extended periods, making it significantly harder to analyze and identify. The discovery of multiple malware variants using the same core technique suggests that this method is becoming increasingly common among cybercriminals.