Security News > 2021 > February > Alleged Gaming Software Supply-Chain Attack Installs Spyware

Researchers allege, attackers have compromised the update mechanism of NoxPlayer, which is software that allows gamers to run Android apps on their PCs or Macs.

Researchers said, out of more than the 100,000 users in their telemetry that have Noxplayer installed on their machines, only five users received a malicious update, showing the attack is a "Highly targeted operation." These victims are based in Taiwan, Hong Kong and Sri Lanka.

A normal NoxPlayer update process works as follows: Upon launch NoxPlayer queries the update server via the BigNox HTTP API in order to retrieve specific update information.

If the user chooses to update, the main NoxPlayer binary application supplies update parameters received to another binary in its toolbox, which is in charge of downloading the update.

For victims, the attack occurs when the BigNox API server responds to the client request with specific update information, including the URL to download the update from BigNox legitimate infrastructure.

Unlike legitimate BigNox updates, these malicious files are not digitally signed, strongly suggesting that the BigNox build system was not compromised, but just its systems that distribute updates, said researchers.

News URL

https://threatpost.com/gaming-software-attack-spyware/163537/