An infected update mechanism has been found to install cyber espionage capabilities to track gamers in Asia.

NoxPlayer—an Android emulator for PCs and Macs—has been found to be the recent target of hackers behind three different malware families. The app’s update mechanism has been hacked to distribute the malware to selected victims in Asia.

Cybersecurity investigators from ESET, who announced this campaign, have not discovered any financial gain motive, but rather, have concluded that the malware was designed for cyber espionage.

The firm’s telemetry data indicated the first indicators of compromise in September 2020. Activity then continued until researchers uncovered explicitly malicious activity this week in 2021. The incident was then reported to BigNox, the Hong Kong-based company that developed NoxPlayer—according to ESET researcher Ignacio Sanmillan.

A compromised developer

ESET researchers have identify only several victims to date, all based in Taiwan, Hong Kong and Sri Lanka. Based on the compromised software in question and the delivered malware exhibiting surveillance capabilities, researchers believe this may indicate the intent of intelligence collection on targets involved in the gaming community, Sanmillan said.

In this supply-chain attack, the NoxPlayer update mechanism serves as the vector of compromise. On launch, if NoxPlayer detects a newer version of the software, it will prompt the user with a message offering the user the option to install it, thus delivering the malware.

According to Sanmillan, they have sufficient evidence to state that BigNox’ infrastructure had been compromised to host malware and also to suggest that their API infrastructure could have been compromised. In some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers.

Three variants

A total of three different malicious update variants have been observed.

  • The first malicious update variant does not seem to have been documented before and has enough capabilities to monitor its victims.
  • The second update variant, in line with the first, was spotted being downloaded from legitimate BigNox infrastructure. The deployed final payload was an instance of Gh0st RAT (with keylogger capabilities) also widely used among threat actors.
  • The third variant, PoisonIvyRAT—a remote access tool popular with cybercriminals—was only spotted in activity subsequent to the initial malicious updates and downloaded from attacker-controlled infrastructure.

ESET has spotted similarities between loaders that its researchers had monitored in the past and what they now observed in NoxPlayer. “The similarities we see are related to instances discovered in a Myanmar presidential office website supply-chain compromise in 2018, and in early 2020 in an intrusion into a Hong Kong university.”

What can NoxPlayer users do in the meantime. Sanmillan said that, in case of detected intrusion, the public is advised to perform a standard reinstall from clean media. For uninfected NoxPlayer users, do not download any updates until BigNox sends notification that they have mitigated the threat. Furthermore, best practice would be to uninstall the noxplayer app.