In a recent development, an unknown hacker group has got hold of the popular Android emulator NoxPlayer to insert malware on victim’s devices in the Asian region. The attack is targeted on BigNox and the discovery was made by Slovak security firm ESET last week. Apparently, NoxPlayer is famous among geeks who like to emulate Android apps (games mostly) on their Windows or macOS system. According to the security firm, the attack comes from an unidentified thread monger who gained access to the company’s digital resources.
This hack, the attacker(s) accomplished by spooking into the company’s official API (api.bignox.com) and the file-hosting servers (res06.bignox.com). Once they got in the next step was to alter the download URL of the NoxPlayer updates and install the malware in the file which would get downloaded on the unfortunate user’s system.
According to ESET, the main motive was not any monetary demands or hacks – rather surveillance-related capabilities. For this three different malware were used which were tailored for select victims.
It is a bit baffling that the hackers had access to the BigNox server ever since September last year but they employed a peculiar strategy to not get caught. They targeted some machines of some class of users – the online gaming community in particular.
That’s the reason so far only five victims in Asia – located in places including Taiwan, Hong Kong, and Sri Lanka. To help out others no to fall victim of the malware attack, ESET has revealed their report with the details of the methodology and how to determine if the NoxPlayer you have is infected or not.
According to ESET, they are investigating further to identify the group involved and they doubt there is some interconnection with a group the team internally refers to as Stellera. They concluded this based on the similarities in the malware strains to the one used in Myanmar presidential official website hacked in 2018. That breach targeted the Hong Kong University.
UPDATE (February 3rd, 2021):
ESET updates: Following the publication of our research, BigNox have contacted us to say that their initial denial of the compromise was a misunderstanding on their part and that they have since taken these steps to improve security for their users:
- use only HTTPS to deliver software updates in order to minimize the risks of domain hijacking and Man-in-the-Middle (MitM) attacks
- implement file integrity verification using MD5 hashing and file signature checks
- adopt additional measures, notably encryption of sensitive data, to avoid exposing users’ personal information
BigNox have also stated that they have pushed the latest files to the update server for NoxPlayer and that, upon startup, NoxPlayer will now run a check of the application files previously installed on the users’ machines.
ESET assumes no responsibility for the accuracy of the information provided by BigNox.
