News Highlights: Hackers laced NoxPlayer updates with malware to target online gamers.
ESET security researchers recently discovered that hackers have riddled NoxPlayer’s update mechanism with various types of malware, potentially exposing more than 100,000 emulator users to unauthorized surveillance.
NoxPlayer is a popular Android emulator for Windows, which allows gamers to run Android game apps such as Clash of Clans, Subway Surfers, and Kitchen Stories on their PC, set custom game controls on their keyboards, and also access a variety of apps on the Uptodown Market app pre-installed with the emulator.
NoxPlayer is owned and marketed by BigNox, a Hong Kong-based company that specializes in building app player software and boasts more than 150 million users in more than 20 countries. The company enables gamers worldwide to play mobile game apps on Windows and Mac devices through a range of software products.
At the end of January, ESET security researchers saw that hackers were compromise the NoxPlayer update mechanism to distribute surveillance malware to unsuspecting users of the emulator. The malicious payloads, the researchers said, were downloaded to PCs by the BigNox updater from attacker-controlled servers after users clicked the “Update Now” button to download software updates.
According to ESET, the BigNox API server responded to the request with the URL to download the update from the legitimate BigNox infrastructure when the primary executable NoxPlayer file Nox.exe sent a request via the API to request update data. However, the update then downloaded by NoxPlayer.exe was found to be riddled with surveillance malware.
The researchers found that the malicious files were not digitally signed, which strongly suggests that the BigNox build system was not compromised, but only the systems that distributed updates. Once installed on the victims’ PCs, the malware strains crawled the system and sent information back to C2 servers.
“The legitimate BigNox infrastructure provided malware for specific updates. We found that these malicious updates only took place in September 2020. Furthermore, we saw that malicious updates were downloaded from attacker-controlled…