Hackers inserted malware in NoxPlayer Android emulator
A new supply chain attack that compromises the update mechanism of NoxPlayer, a free Android emulator for PCs and Macs were disclosed by security researchers.
The Slovak cybersecurity firm ESET, dubbed the highly targeted surveillance campaign “Operation NightScout” which involved distributing three different malware families through tailored malicious updates to victims based in Taiwan, Hong Kong, and Sri Lanka.
NoxPlayer is an Android emulator which was developed by Hong Kong-based BigNox. It allows users to play mobile games on PC, with support for keyboard, gamepad, script recording, and multiple instances. It is estimated to have over 150 million users in more than 150 countries.
The ongoing attack was first believed to have originated around September last year, which continued until “explicitly malicious activity” was uncovered this week.
According to ESET researcher Ignacio Sanmillan, depending on the compromised software in question and the delivered malware exhibiting surveillance capabilities, it may indicate the intent of intelligence collection on targets involved in the gaming community.
To perform the attack, the NoxPlayer update mechanism served as the vector to deliver trojanized versions of the software to users which after installation, delivered three different malicious payloads such as Gh0st RAT to spy on its victims, capture keystrokes, and collect sensitive information.
Separately, researchers found cases where additional malware like PoisonIvy RAT was downloaded by the BigNox updater from remote servers controlled by the threat actor.
PoisonIvy RAT which was first released in 2005, has been used in several high-profile malware campaigns.
The malware loaders used in the attack had similarities with that of a compromise of Myanmar presidential office website in 2018 and a breach of a Hong Kong university last year. The researchers said that the operators behind the attack breached BigNox’s infrastructure to host the malware, with its API infrastructure being compromised.
Sanmillan suggests that to be on the safe side, in case of intrusion it is best to perform a standard reinstall from clean media. The uninfected NoxPlayer users need not download any updates until BigNox sends notification that they have mitigated the threat. However, the best practice would be to uninstall the software.