Hackers Exploit .NET MAUI for Fake Banking and Social Apps

26.03.2025

Cybersecurity researchers have uncovered an Android malware campaign that exploits Microsoft’s .NET MAUI framework to create fake banking and social media apps targeting Indian and Chinese-speaking users. These malicious apps impersonate legitimate services to steal sensitive user data, such as personal details, credit card numbers, and government-issued identifiers.

Unlike traditional Android malware, these apps are developed entirely in C# and stored as blob binaries, allowing them to evade detection. .NET MAUI functions as a packer, enabling the malware to persist on victim devices for extended periods. McAfee Labs researchers note that threat actors are continuously refining their tactics, shifting from Xamarin-based malware to .NET MAUI for enhanced stealth.

The fake apps, collectively named FakeApp, are primarily distributed through deceptive links shared via messaging platforms, redirecting users to unofficial app stores. One such app impersonates an Indian financial institution to collect banking details, while another mimics the social media site X to extract contacts, SMS messages, and photos from targeted devices. These apps rely on encrypted socket communication to transmit stolen data to a remote command-and-control (C2) server.

To further evade detection, the malware employs multi-stage dynamic loading, using an XOR-encrypted loader to activate an AES-encrypted payload. This payload ultimately executes .NET MAUI assemblies designed to steal user data. Additionally, meaningless permissions are inserted into the AndroidManifest.xml file to disrupt security analysis tools.

Once installed, the malware operates silently in the background, triggering data theft when users interact with the app. Researchers warn that the increasing use of .NET MAUI for malicious purposes highlights the need for stronger security measures and user awareness to prevent falling victim to such sophisticated cyber threats.