- Active Roles Wins 2025 Cybersecurity Excellence Award for Hybrid Active Directory Protection
- McAfee Wins AV-TEST Awards for Best Advanced Protection and Best Performance | McAfee Blog
- Microsoft 365 Copilot's two new AI agents can speed up your workflow
- ChatGPT's Advanced Voice Mode gets a big upgrade (for free users, too)
- How Otter.ai's new AI agents can play key roles in your live meetings, and more
New Android Malware Uses .NET MAUI to Evade Detection
Cybersecurity researchers at McAfee have identified a new wave of Android malware campaigns leveraging .NET MAUI, a cross-platform development framework, to evade detection and steal sensitive user information.
These malicious applications disguise themselves as legitimate services, posing significant risks to mobile security.
How .NET MAUI is Being Exploited
Cross-platform development frameworks like Flutter and React Native have gained popularity among developers for building applications that run on both Android and iOS.
Microsoft introduced .NET MAUI as a successor to Xamarin, expanding support to Windows and macOS while utilizing .NET 6+ for improved performance.
According to McAfee, cybercriminals have now adapted by exploiting .NET MAUI’s architecture to create malware with core functionalities written entirely in C# and stored as binary large objects (blobs). This method allows them to conceal malicious code from traditional detection techniques that analyze DEX files or native libraries.
One example of this malware is a fraudulent banking app impersonating IndusInd Bank and targeting Indian users. When launched, the app prompts users to enter personal and financial details, including their name, phone number, email, date of birth and banking credentials. This data is then sent directly to the attacker’s command-and-control (C2) server.
Unlike typical Android malware, this app lacks harmful code in its Java or native components, instead hiding its malicious elements within blob files in the assemblies directory.
Another instance involves a fake social networking service (SNS) app aimed at Chinese-speaking users. This malware employs multi-stage dynamic loading, decrypting and executing its payload in three separate stages to make analysis significantly more difficult.
Additionally, it manipulates the AndroidManifest.xml file by adding excessive, randomly generated permissions to disrupt security tools. It also uses encrypted socket communication over TCP connections to transmit stolen data, making interception more challenging.
Read more on Android malware: ToxicPanda Malware Targets Banking Apps on Android Devices
Mitigating the Threat
These findings highlight how cybercriminals are evolving their methods to bypass conventional security measures.
To reduce the risk of infection, mobile users should consider the following precautions:
- Download apps only from official app stores like Google Play
- Be wary of applications requesting unnecessary permissions
- Use security software to detect and block potential threats
“To keep up with the rapid evolution of cyber-criminal tactics, users are strongly advised to install security software on their devices and keep it up to date at all times,” McAfee added. “Staying vigilant and ensuring that security measures are in place can help protect against emerging threats.”
