Pierluigi Paganini March 25, 2025

Researchers warn of a new Android malware that uses .NET MAUI to mimic legit services and evade detection.

McAfee researchers warn of Android malware campaigns using .NET MAUI to evade detection. These threats disguise themselves as legitimate services to steal sensitive information from users.

.NET MAUI (Multi-platform App UI) is a cross-platform framework by Microsoft for building native mobile and desktop applications using C#. It allows developers to create apps that run on Android, iOS, Windows, and macOS from a single codebase, streamlining development and maintenance. It replaces Xamarin.Forms and provides a unified UI framework with platform-specific integrations.

Cybercriminals are using .NET MAUI to create Android malware that evades detection by hiding core functions in C# blob binaries instead of traditional DEX files.

McAfee researchers detailed a fake IndusInd Bank app targeting Indian users, stealing personal and banking data via a hidden malicious .NET MAUI payload.

“Unlike typical malicious apps, there are no obvious traces of harmful code in the Java or native code.” reads the report published by McAfee. “Instead, the malicious code is hidden within blob files located inside the assemblies directory. “

Then the collected data is sent to an attacker’s C2 server.

Another malware observed by the experts targets Chinese-speaking users, stealing contacts, SMS, and photos through third-party app stores. It evades detection using multi-stage dynamic loading, encrypting and loading its malicious payload in three steps.

The malware also manipulates AndroidManifest.xml with excessive permissions to disrupt analysis and uses encrypted socket communication to hide stolen data. Disguised as various apps, it is widely distributed across alternative platforms.

“In the first stage, the app’s main activity, defined in AndroidManifest.xml, decrypts an XOR-encrypted file and loads it dynamically. This initial file acts as a loader for the next stage. In the second stage, the dynamically loaded file decrypts another AES-encrypted file and loads it. This second stage still does not reveal the core malicious behavior but serves as another layer of obfuscation. Finally, in the third stage, the decrypted file contains code related to the .NET MAUI framework, which is then loaded to execute the main payload.” continues the report. “The main payload is ultimately hidden within the C# code. When the user interacts with the app, such as pressing a button, the malware silently steals their data and sends it to the C2 server.” 

Cybercriminals are increasingly using .NET MAUI-based malware to evade detection through techniques like hidden code blobs, multi-stage loading, encryption, and obfuscation. The researchers pointed out that these threats can remain undetected for long periods, and their growing prevalence suggests they are becoming more common. Users should avoid unofficial app sources, use security software, and stay updated to protect against evolving cyber threats.

The report includes Indicators of Compromise (IOCs) for these threats.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android malware)