Android emulator abused to introduce malware onto PCs

Android emulator abused to introduce malware onto PCs

Emulators have played a part in many tech-savvy users’ lives. They introduce a level of flexibility that not only allows another system to run on top of a user’s operating system—a Windows OS running on a MacBook laptop, for example—but also allows video gamers to play games designed to work on a different platform than the one they own.

Recently, ESET revealed a campaign that targeted users of NoxPlayer, a popular Android emulator for PCs and Macs. Affected users didn’t have to visit a potentially dubious website to get malware. All they did was download the update for NoxPlayer.

What we see here is the latest example of a supply-chain attack, wherein threat actors were able to manipulate a legitimate executable file to make it behave in a way it’s not supposed to. In this case, attackers manipulated two files: Nox.exe, the main NoxPlayer file, and NoxPack.exe, the downloader of the update itself. The latter is its infection vector.

How users can get infected

Everything starts and happens at the backend where users cannot see what is really going on.

In the post, ESET explains that upon opening NoxPlayer—and before a message pops up telling users that a software update is available for download—the program queries the update server via the BigNox HTTP API to check for updates and if so, retrieves update-related information. This includes the URL where the update file is housed.

The researchers believe that certain sections of the BigNox infrastructure were compromised. It’s thought that either the attackers replaced the legitimate update file with malware, or changed the file name or download URL to point to a destination they controlled. These new download URLs mimicked the legitimate download location of the NoxPlayer update.

Malware was then executed on affected systems. Reconnaissance is pinned as the main purpose of this yet unknown malware. The researchers also observed that throughout the end of 2020 and the start of 2021, certain victims were infected with other malware.

Signs of the times

The video gaming industry isn’t exempted from any cyberattack and online risks. For years, companies within the industry have been targeted by phishing, scammers, and sometimes, malware.

Early this year, employees (and sometimes clients) of big-name gaming companies like Ubisoft had their credentials leaked on the dark web. In mid-2020, PipeMon, the product of an attacker group called Winnti, who is also known to use supply-chain attacks, infected several massive multiplayer online (MMO) game developers to use game builds and game servers for their malicious purpose.

Because the current pandemic has fueled the popularity of vide gaming, including how much people spend within these games, it shouldn’t surprise anyone that cybercriminals are homing in on them now more than ever. This particular attack on a gaming emulator company may seem unusual, but it aligns with the current trend.

While video gamers are enjoying their games, they should realize that they have caught the attention of cybercriminals. Similarly, video game companies should understand they are targets too. To keep the cybercriminals at bay, both will need to do their part.

Update February 8, 2021

The original ESET report was updated on February 3, 2021, and now includes details of measures Nox says it has implemented to safeguard users. We have not verified such changes or their adequacy.