UPDATE: NoxPlayer has told us that the issue is now fixed, and that the company has upped its security protection for users.
According to ESET (opens in new tab), the company has also pushed the latest files to the update server for NoxPlayer and that, upon startup, NoxPlayer will now run a check of the application files previously installed on the users’ machines.
Security researchers have discovered multiple malware strains affecting a popular Android emulator. Rather than infect as many devices as possible, it seems that the threat actors involved were specifically targeting certain individuals within the Asian online gaming community.
“In January 2021, we discovered a new supply-chain attack compromising the update mechanism of NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox’s product range with over 150 million users worldwide,” explained (opens in new tab) Ignacio Sanmillan, one of the ESET researchers that discovered the attacks. “This software is generally used by gamers in order to play mobile games from their PCs, making this incident somewhat unusual. Three different malware families were spotted being distributed from tailored malicious updates to selected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities.”
The different malware strains were delivered by a hacker group known as “NightScout” after it managed to compromise BigNox’s storage infrastructure. The group then infiltrated BigNox’s API infrastructure to deliver its malicious payloads.
- We've built a list of the best Android antivirus apps (opens in new tab) around
- These are the best identity theft protection (opens in new tab) services on the market
- Also, check out our roundup of the best malware removal (opens in new tab) tools
Do not update
When unsuspecting NoxPlayer users downloaded an update, they were unknowingly downloading multiple malware strains with surveillance-related capabilities.
The first has not been documented before, while the second was a variant of the Ghost remote access trojan (RAT). NightScout also delivered a second-stage payload, the PoisonIvy RAT, but from their own infrastructure rather than using compromised NoxPlayer updates.
Interestingly, it appears that NightScout only infected five NoxPlayer users with a malicious update, based in Taiwan, Hong Kong, and Sri Lanka.
Although targeted cyberattacks are not unusual, they are more commonly used to target government officials or high-profile businessmen. It is not currently clear why NightScout conducted an espionage operation targeting the gaming community.
- We've also highlighted the best antivirus (opens in new tab)
Via Bleeping Computer (opens in new tab)