This fake Android emulator is really full of malware malware
Security researchers have discovered multiple malware strains affecting a popular Android emulator. Rather than infect as many devices as possible, it seems that the threat actors involved were specifically targeting certain individuals within the Asian online gaming community.
“In January 2021, we discovered a new supply-chain attack compromising the update mechanism of NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox’s product range with over 150 million users worldwide,” explained Ignacio Sanmillan, one of the ESET researchers that discovered the attacks. “This software is generally used by gamers in order to play mobile games from their PCs, making this incident somewhat unusual. Three different malware families were spotted being distributed from tailored malicious updates to selected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities.”
The different malware strains were delivered by a hacker group known as “NightScout” after it managed to compromise BigNox’s storage infrastructure. The group then infiltrated BigNox’s API infrastructure to deliver its malicious payloads.
Do not update
When unsuspecting NoxPlayer users downloaded an update, they were unknowingly downloading multiple malware strains with surveillance-related capabilities. The first has not been documented before, while the second was a variant of the Ghost remote access trojan (RAT). NightScout also delivered a second-stage payload, the PoisonIvy RAT, but from their own infrastructure rather than using compromised NoxPlayer updates.
Interestingly, it appears that NightScout only infected five NoxPlayer users with a malicious update, based in Taiwan, Hong Kong, and Sri Lanka. Although targeted cyberattacks are not unusual, they are more commonly used to target government officials or high-profile businessmen. It is not currently clear why NightScout conducted an espionage operation targeting the gaming community.
Whatever the motivation, NoxPlayer users are advised to reinstall the app from clean media and refuse any updates until BigNox has confirmed that the malware infections have been mitigated.
Security researchers have discovered multiple malware strains affecting a popular Android emulator. Rather than infect as many devices as possible, it seems that the threat actors involved were specifically targeting certain individuals within the Asian online gaming community. “In January 2021, we discovered a new supply-chain attack compromising the update…
