Operation NightScout: supply chain attack on NoxPlayer Android emulator

Experts uncovered a new supply chain attack leveraging the update process of NoxPlayer, a free Android emulator for PCs and Macs.

UPDATE (February 3^rd, 2021):

Following the publication of our research, BigNox have contacted us to say that their initial denial of the compromise was a misunderstanding on their part and that they have since taken these steps to improve security for their users:

• use only HTTPS to deliver software updates in order to minimize the risks of domain hijacking and Man-in-the-Middle (MitM) attacks
• implement file integrity verification using MD5 hashing and file signature checks
• adopt additional measures, notably encryption of sensitive data, to avoid exposing users’ personal information

BigNox have also stated that they have pushed the latest files to the update server for NoxPlayer and that, upon startup, NoxPlayer will now run a check of the application files previously installed on the users’ machines.

ESET assumes no responsibility for the accuracy of the information provided by BigNox.

A new supply chain attack made the headlines, a threat actor has compromised the update process of NoxPlayer, a free Android emulator for Windows and Macs developed by BigNox. The company claims to have over 150 million users in more than 150 countries, according to ESET more than 100,000 of its customers have Noxplayer installed on their machines.

The emulator is widely adopted by gamers in order to play mobile games from their PCs.

The attack was discovered by cybersecurity firm ESET on January 25, threat actors delivered malware to a limited number of victims across Asia.

At the time of this writing, the researchers already identified five victims in countries such as Taiwan, Hong Kong, and Sri Lanka. ESET tracked this campaign as Operation NightScout.

“In January 2021, we discovered a new supply-chain attack compromising the update mechanism of NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox’s product range with over 150 million users worldwide.” reads the analysis published by ESET.

“Three different malware families were spotted being distributed from tailored malicious updates to selected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities.”

The attackers compromised one of the company’s official API (api.bignox.com) and file-hosting servers (res06.bignox.com), once gained a foothold in the target infrastructure they tampered with the download URL of NoxPlayer updates in the API server to deliver tainted updates.

The experts reported that threat actors employed at least three different malware families in this supply chain attack.

The report published by ESET includes technical details for this attack, it could allow NoxPlayers users to determine if they have installed the tainted updates and provides instructions on how to remove the malicious code.

ESET did not attribute this attack to a well-known threat actor, it only highlighted that the three malware employed in the attack had “similarities” with other pieces of malware used in a Myanmar presidential office website supply-chain attacks in 2018 and in an intrusion into a Hong Kong university in early 2020.

“We have detected various supply-chain attacks in the last year, such as Operation SignSight or the compromise of Able Desktop among others. However, the supply-chain compromise involved in Operation NightScout is particularly interesting due to the targeted vertical, as we rarely encounter many cyberespionage operations targeting online gamers.” concludes the report.

“Supply-chain attacks will continue to be a common compromise vector leveraged by cyber-espionage groups, and its complexity may impact the discovery and mitigation of these type of incidents.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, NoxPlayer)

[adrotate banner=”5″]

[adrotate banner=”13″]