Security News > 2021 > February > Android emulator supply-chain attack targets gamers with malware
ESET researchers have discovered that the updating mechanism of NoxPlayer, an Android emulator for Windows and macOS, made by Hong Kong-based company BigNox, was compromised by an unknown threat actor and used to infect gamers with malware.
NoxPlayer is used by gamers from over 150 countries around the globe according to BigNox but, as ESET found in January 2021, the supply-chain attack was focused on infecting only Asian gamers with at least three different malware strains.
"We have sufficient evidence to state that BigNox's infrastructure was compromised to host malware and also to suggest that their API infrastructure could have been compromised. In some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers," ESET researcher Ignacio Sanmillan said.
The malicious updates delivered through NoxPlayer's compromised update mechanism included an unknown malware with monitoring capabilities and the extensively used Gh0st remote access trojan.
A third malware, the PoisonIvy RAT, was also discovered by ESET while investigating the supply-chain attack but this was delivered as a second-stage payload, from the attackers' own infrastructure not by deploying malicious NoxPlayer updates.
Despite the vast amount of victims that could've been infected between September 2020 when the supply-chain attack started and January 2021 when it was discovered, the NightScout threat actor instead chose to infect five targets from Taiwan, Hong Kong, and Sri Lanka, revealing this operation's highly-targeted nature.
News URL
Related news
- Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- Android malware "FakeCall" now reroutes bank calls to attackers (source)
- LottieFiles hit in npm supply chain attack targeting users' crypto (source)
- LottieFiles hacked in supply chain attack to steal users’ crypto (source)
- LottieFiles supply chain attack exposes users to malicious crypto wallet drainer (source)
- New FakeCall Malware Variant Hijacks Android Devices for Fraudulent Banking Calls (source)
- New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers (source)
- Google fixes two Android zero-days used in targeted attacks (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)