Hackers Use Android Emulator to Spread MalwareResearchers: Supply Chain Attack Active Across Asia
A cyberespionage campaign is targeting game developers in Asia using an infected Android emulator app as part of a supply chain attack, a report issued this week by security firm ESET finds.
ESET notes the campaign has been ongoing since September 2020 and has targeted customers of BigNox, a Hong Kong-based Android emulator software developer. The supply chain attack involves hackers compromising BigNox's product called NoxPlayer, which is used by gamers to play mobile games on their computers.
The campaign functioned like the SolarWinds attack, which spread when the company pushed out a software update. In this case, when NoxPlayer customers updated the software, the malicious application delivered three malware variants with surveillance capabilities, the report notes (see: SolarWinds Hackers Cast a Wide Net).
ESET estimates that so far only five NoxPlayer customers, based in Taiwan, Hong Kong and Sri Lanka, have been infected by the malware out of an estimated 100,000 NoxPlayer users worldwide. But the potential to do a great deal more damage remains.
"We have contacted BigNox about the intrusion, and they denied being affected," according to ESET. "We have also offered our support to help them past the disclosure in case they decide to conduct an internal investigation."
The report notes the attackers use NoxPlayer’s update mechanism as the initial attack vector. On launching the application, a message is shown to the victims prompting the update to install the malicious application.
The victims are then tricked into updating the application in order to download the malware. This sets the stage for the next step in the attack, when a previously unseen malware variant with monitoring capabilities is used alongside two remote access Trojans - Gh0st, for keylogging, and PoisonIvy, for data exfiltration - which are all executed on the victims' devices, the report adds.
Supply Chain Attack
The recent attack is among the latest cases of supply chain attacks targeting software vendors.
In December 2020, Microsoft and FireEye acknowledged that the SolarWinds hackers had compromised their internal systems as part of a supply chain attack (see: Malwarebytes CEO: Firm Targeted by SolarWinds Hackers).
The attack, which appears to have started in March 2020, went undetected until FireEye discovered that its penetration testing tools had been stolen. Attackers added a backdoor called "Sunburst" into SolarWinds' Orion network monitoring software. Up to 18,000 customers installed and ran the Trojanized software. Attackers then used Sunburst to target some of those customers.