Cybercrime as-a-service , Fraud Management & Cybercrime , Malware as-a-Service

Hackers Use Android Emulator to Spread Malware

Researchers: Supply Chain Attack Active Across Asia
Hackers Use Android Emulator to Spread Malware
Asia victimology map. (Source: ESET)

A cyberespionage campaign is targeting game developers in Asia using an infected Android emulator app as part of a supply chain attack, a report issued this week by security firm ESET finds.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

ESET notes the campaign has been ongoing since September 2020 and has targeted customers of BigNox, a Hong Kong-based Android emulator software developer. The supply chain attack involves hackers compromising BigNox's product called NoxPlayer, which is used by gamers to play mobile games on their computers.

The campaign functioned like the SolarWinds attack, which spread when the company pushed out a software update. In this case, when NoxPlayer customers updated the software, the malicious application delivered three malware variants with surveillance capabilities, the report notes (see: SolarWinds Hackers Cast a Wide Net).

ESET estimates that so far only five NoxPlayer customers, based in Taiwan, Hong Kong and Sri Lanka, have been infected by the malware out of an estimated 100,000 NoxPlayer users worldwide. But the potential to do a great deal more damage remains.

"We have contacted BigNox about the intrusion, and they denied being affected," according to ESET. "We have also offered our support to help them past the disclosure in case they decide to conduct an internal investigation."

Attack Tactics

The report notes the attackers use NoxPlayer’s update mechanism as the initial attack vector. On launching the application, a message is shown to the victims prompting the update to install the malicious application.

The victims are then tricked into updating the application in order to download the malware. This sets the stage for the next step in the attack, when a previously unseen malware variant with monitoring capabilities is used alongside two remote access Trojans - Gh0st, for keylogging, and PoisonIvy, for data exfiltration - which are all executed on the victims' devices, the report adds.

Supply Chain Attack

The recent attack is among the latest cases of supply chain attacks targeting software vendors.

In December 2020, Microsoft and FireEye acknowledged that the SolarWinds hackers had compromised their internal systems as part of a supply chain attack (see: Malwarebytes CEO: Firm Targeted by SolarWinds Hackers).

The attack, which appears to have started in March 2020, went undetected until FireEye discovered that its penetration testing tools had been stolen. Attackers added a backdoor called "Sunburst" into SolarWinds' Orion network monitoring software. Up to 18,000 customers installed and ran the Trojanized software. Attackers then used Sunburst to target some of those customers.

Some of the other software vendors that have been hit by the SolarWinds hackers include security firm Mimecast, CrowdStrike and Palo Alto Networks.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.