New Android Malware Exploits .NET MAUI to Stay Undetected

Cybersecurity experts have uncovered a stealthy Android malware campaign that leverages Microsoft’s .NET MAUI framework to bypass traditional security mechanisms. These deceptive applications, disguised as legitimate services, have been found targeting users in India and China, with a high possibility of expanding to other regions.

How Hackers Are Using .NET MAUI for Android Malware

.NET MAUI, introduced by Microsoft in 2022, is a powerful cross-platform development framework designed for both mobile and desktop applications. Unlike conventional Android apps that rely on Java or Kotlin and store executable code in DEX files, .NET MAUI apps are built using C#, storing their core logic in binary blob files.

This technique creates a major security loophole, as Android security tools focus on scanning DEX files while largely ignoring blob files. Cybercriminals exploit this gap to embed malicious payloads within these files, making detection significantly more difficult.

Unlike traditional Android malware that downloads harmful components post-installation, this method conceals malicious code within the app itself, allowing attackers to execute operations stealthily.

Advanced Techniques Hackers Are Using to Stay Hidden

According to McAfee’s Mobile Research Team, these malware campaigns employ multiple layers of obfuscation to avoid detection, including:

🔹 Encrypted Payloads: Uses advanced XOR and AES encryption to conceal malicious scripts.
🔹 Manipulated AndroidManifest.xml: Bloated with randomly generated strings to mislead security tools.
🔹 Staged Execution Tactics: Malware is deployed in phases to prevent immediate detection.
🔹 TCP Socket Communication: Establishes direct connections to remote command-and-control (C2) servers, allowing hackers to exfiltrate sensitive data.

These evasion strategies make the malware highly persistent, allowing it to operate in the background without triggering alerts for extended periods.

Fake Apps Designed to Steal Personal & Financial Data

McAfee researchers identified multiple fake apps mimicking popular banking, social media, and messaging platforms. Some of the most concerning discoveries include:

🔻 A fraudulent IndusInd Bank app that tricks Indian users into entering banking credentials, which are then sent to the attacker’s server.
🔻 A fake SNS app designed to steal SMS messages, contact lists, and private photos from Chinese-speaking users.

Since Google Play Store is restricted in certain regions, these malware-laced apps are often distributed via third-party app stores or unverified websites, increasing the risk of infection.

How to Stay Protected from These Threats

To minimize the risk of falling victim to these stealthy malware campaigns, follow these security best practices:

✅ Download apps only from trusted sources like the Google Play Store.
✅ Avoid installing APKs from third-party websites or unverified app stores.
✅ Be cautious of suspicious links sent via SMS or email, as they may lead to phishing sites.
✅ Enable Google Play Protect, which actively scans for malicious apps and prevents installation.
✅ Use an Android security scanner to analyze APK files before installation.

As malware techniques continue to evolve, Android users must stay alert and practice safe downloading habits to keep their devices and personal data secure.