Security researchers have identified a new campaign where threat actors are leveraging Microsoft’s .NET Multi-platform App UI (.NET MAUI) framework to distribute fraudulent banking and social media applications targeting users in India and China. The malicious apps, disguised as legitimate services, aim to steal sensitive user data, including login credentials and financial information.
Attack Methodology
The attackers abuse .NET MAUI’s cross-platform capabilities to create convincing fake applications that mimic popular banking and social media platforms. These apps are distributed through third-party app stores and phishing websites, often promoted via social engineering tactics. Once installed, the malware embedded within these apps can perform a range of malicious activities, from credential harvesting to session hijacking.
According to Kaspersky, the campaign employs sophisticated obfuscation techniques to evade detection by security software. The malware communicates with command-and-control (C2) servers hosted on compromised infrastructure, allowing attackers to exfiltrate stolen data and deploy additional payloads.
Geographic Targeting
The campaign primarily focuses on users in India and China, where mobile banking and social media adoption is high. Attackers tailor the fake apps to resemble region-specific services, increasing the likelihood of successful infections. For instance, in India, the malware impersonates major banking apps, while in China, it mimics popular social platforms like WeChat and Alipay.
This geographic specificity suggests the involvement of an Advanced Persistent Threat (APT) group with knowledge of local digital ecosystems. The use of .NET MAUI further indicates a shift toward exploiting modern development frameworks to bypass traditional security measures.
Mitigation and Recommendations
Enterprises and individual users are advised to download apps only from official stores such as Google Play or the Apple App Store. Organizations should implement robust mobile device management (MDM) solutions to monitor and restrict unauthorized app installations. Additionally, security teams should conduct regular awareness training to educate employees about the risks of phishing and fake apps.
Microsoft has been notified of the abuse of .NET MAUI in this campaign. While no inherent vulnerability in the framework has been identified, developers are encouraged to follow secure coding practices to prevent misuse. For further details on securing .NET MAUI applications, refer to Microsoft’s official security guidelines.
