Security researchers at ESET recently discovered that hackers laced the update mechanism of NoxPlayer with various malware strains, potentially exposing over 100,000 users of the emulator to unauthorised surveillance.
NoxPlayer is a popular Android emulator for Windows, letting gamers run Android gaming apps, such as Clash of Clans, Subway Surfers, and Kitchen Stories on their PCs, set up customized game controls on their keyboards, and also access a big range of apps on the Uptodown Market App which comes pre-installed with the emulator.
NoxPlayer is owned and marketed by BigNox, a Hong Kong-based company which specialises in building app player software and boasts over 150 million users in more than 20 countries. The company enables gamers worldwide to play mobile gaming apps on Windows and Mac devices though a range of software products.
In late January, security researchers at ESET observed that hackers were compromising NoxPlayer’s update mechanism to distribute surveillance malware to unsuspecting users of the emulator. The malicious payloads, the researchers said, were downloaded to PCs by the BigNox updater from attacker-controlled servers after users clicked on the "Update Now" button to download software updates.
According to ESET, when the primary NoxPlayer executable Nox.exe sent a request via the API to query update information, the BigNox API server responded to the request with the URL to download the update from BigNox legitimate infrastructure. However, the update which was then downloaded by NoxPlayer.exe was found laced with surveillance malware.
The researchers found that the malicious files were not digitally signed, strongly suggesting that the BigNox build system was not compromised, but just its systems that distributed updates. Once installed on victims' PCs, the malware strains conducted reconnaissance of the system and sent information back to C2 servers.
"Legitimate BigNox infrastructure was delivering malware for specific updates. We observed that these malicious updates were only taking place in September 2020. Furthermore, we observed that for specific victims, malicious updates were downloaded from attacker-controlled infrastructure subsequently and throughout the end of 2020 and early 2021," ESET said.
"We are highly confident that these additional updates were performed by Nox.exe supplying specific parameters to NoxPack.exe, suggesting that the BigNox API mechanism may have also been compromised to deliver tailored malicious updates. It could also suggest the possibility that victims were subjected to a MitM attack, although we believe this hypothesis is unlikely since the victims we discovered are in different countries, and attackers already had a foothold on the BigNox infrastructure.
"Furthermore, we were able to reproduce the download of the malware samples hosted on res06.bignox.com from a test machine and using https. This discards the possibility that a MitM attack was used to tamper the update binary," the firm added.
The researchers also determined that even though more than 100,000 people have downloaded NoxPlayer into their PCs, only five users, who are based in Taiwan, Hong Kong, and Sri Lanka, received the malicious updates, indicating that this could have been a highly targeted operation. They also noted that this was also a particularly rare exploit as they rarly encounter cyberespionage operations targeting online gamers.
Commenting on the weaponisation of NoxPlayer updates to deliver malware to end users, Kevin Bocek, VP of security strategy and threat intelligence at Venafi, said that BigNox allows use of its API services without any TLS machine identity protection, thereby allowing attackers to access its API services with just an HTTP connection.
"Making matters worse, since the malicious updates were not signed with a code-signing machine identity, it’s clear that BigNox’s update application was failing to enforce machine identities or finding a way to circumvent them.
"With the dust having barely settled from SolarWinds, today’s news should be a reminder to the software industry that its developers must enforce proper protections of their software – starting with the proper use of machine identities," he added.