Cybercriminals have found a new hiding place for their campaigns: .NET FIXED, Microsoft's cross-platform framework. A growing number of fake apps disguise themselves as banking, messaging, dating, or social networking apps, but are actually looking for just one thing: steal your data and bypass detection systems on Android with non-trivial techniques.
The discovery, observed primarily in India and China, marks a trend that could escalate rapidly. By taking advantage of the fact that .NET MAUI allows logic to be packaged into C# binaries that are unusual for Android, attackers gain an additional layer of protection. secrecy compared to antivirus programs that historically scan DEX files or native libraries. The result: apps that look legitimate and that survive longer on your phone.
What is .NET MAUI and why is it the key piece?
.NET Multi-platform App UI (.NET MAUI) is the successor to Xamarin and enables the creation of native applications with a single code in C# and XAML for Android, iOS, Windows, and macOS. Released in 2022, it was born to simplify cross-platform development, and since May 1, 2024, Xamarin has officially been unsupported, encouraging migration to .NET FIXED in professional environments.
The key to abuse on Android is in the packaging: unlike classic apps compiled from scratch, DEX (Java/Kotlin), those created with .NET MAUI can store functionality in large C# binary blobsMany security tools automate their analysis of DEX and native code, leaving these blobs less scrutinized, which end up being an effective hiding place for malicious code.
This architecture offers attackers several advantages: a “stealth mode” by hiding the logic between binaries, prolonged persistence taking longer to be detected and the possibility of using evasion techniques that are uncommon in the traditional Android ecosystem. In short, the framework acts in practice as a packer which complicates static inspection.
How they camouflage themselves: from banking to social networks
The observed cases show a consistent tactic: apps that mimic legitimate services to inspire trust. APKs have been seen outside of Google Play impersonating banks, messaging, dating platforms, and popular social networks (including clones of X, formerly Twitter) and which, once installed, request sensitive data in the form of real streams.
Banking example: a fraudulent app presented itself as the IndusInd Bank (India). Its interface asked for full name, phone number, email address, date of birth, tax IDs (such as PAN and Aadhaar) and even card data. By clicking “send,” the information traveled directly to a command and control (C2) server controlled by the attackers.
Social network example: another app, aimed at users Chinese speaking, promised SNS functions but, behind the scenes, tried to read contacts, SMS messages and access photos on the device. This type of silent theft camouflages itself within seemingly normal app flows, making it impossible for the user to notice anything unusual while browsing.
Distribution: Since they would not pass Google's review, these applications They are not on the Play Store. They spread through fake websites, third-party stores, chat groups, and links shared via SMS or messengers. In environments where Google Play is restricted (e.g., China), the habit of downloading from alternative stores facilitates fraud.
The evasion techniques they employ
In addition to visual camouflage, these campaigns use a number of tricks to avoid detection and frustrate analysts. A common pattern is stage loading: Instead of displaying all the malicious content at once, the malware is deployed in phases, each revealing a portion of the behavior.
Specifically, several analyses describe a scheme of three stages that decrypts and executes payloads step by step, increasing the difficulty of analysis. This approach is complemented by the multi-layer encryption, combining techniques such as XOR and AES to make logic and communications opaque to superficial inspection.
Another common trick is to inflate the AndroidManifest.xml with random strings or meaningless permissions (e.g., permissions with made-up names like “android.permission.LhSSzIw6q”). This “noise” confuses automated security tools, complicates static analysis, and sometimes breaks simple heuristics.
The exfiltration is equally protected: the stolen data is sent to C2 servers via encrypted TCP sockets, so that even if traffic is intercepted, it is difficult to decrypt its content and correlate it with malicious behavior. All of this, hidden in C# blobs which do not always receive the same attention as traditional DEX.
What capabilities do they usually include?
The observed campaigns cover everything from the theft of personal information to spyware-like features. Among the most frequently used capabilities are reading contacts, access to SMS, obtaining stored photos and collecting information from the device, all with the goal of profiling the victim or monetizing the data.
In the financial field, common are: banking trojans that capture credentials, card numbers, and other secrets. In some cases, they resort to overlays (overlay) to mimic the screen of a legitimate bank and steal what the user enters. Families such as Cerberus o Alien In the Android ecosystem, and although the focus of this wave is .NET MAUI, the theft logic follows very similar principles.
It is not limited to bank fraud: certain examples behave like spyware, tracking activity on social networks and communications, or as ransomware, encrypting files and demanding payments. The convergence between .NET MAUI and this catalog of threats multiplies its effectiveness by adding a layer of novel evasion.
Important: Unlike many Android malwares that download the malicious payload after installation (technique “download on demand”), with .NET MAUI some of the dangerous logic already comes prepackaged and hidden, reducing exposure to intermediate controls.
Warning signs and how to identify them
Even if the disguise is good, there are signs that lead to suspicion. The clearest is the installation source: if the app arrives through links in SMS, chat groups, unknown websites or alternative stores, be extremely cautious, especially if it replicates services already present in Google Play.
Another clue is the permit application Excessive amounts: a flashlight app that asks for text messages and contacts, a utility that requires accessibility without reason, or a “bank” that demands more than is reasonable. The bloated manifest with strange permissions—when it's reviewed—is a textbook anomaly.
It is also advisable to be wary of apps with icons that disappear from the drawer, subtle configuration changes, or behaviors that degrade performance and battery life without explanation. These signs, while not conclusive, point to background processes that could be malicious.
Finally, enable and review regularly Google Play ProtectThis feature—when enabled—can block or warn you about some of the apps flagged in recent research, adding an additional barrier if you move outside the official ecosystem.
How they are distributed and who they target
Operators have prioritized regions where unloading from alternative stores It is common, such as China, or countries where the appeal of mobile banking and digital payments is strong, such as India. This explains targeted campaigns with apps that imitate X or local banks such as Indus India.
The input channel is usually a social stream: private messages, chat groups, “employment offers " or promises of premium features. Sometimes, the domains hosting APKs are convincing clones of real brands, which increases installation rates and reduces initial user suspicion.
The absence in Google Play Store This is intentional: it bypasses the store's automatic and manual checks. Instead, attackers deploy their own infrastructure to serve downloads and recycle the same malicious core across multiple "brands" with icons and names different.
Good practices to protect yourself
There are a number of habits that drastically reduce this risk. The first is the most obvious: Install apps only from official sources (Google Play or verified stores from the manufacturer). While not foolproof, it eliminates 90% of dangerous scenarios that rely on direct APK installation.
Keep the system and apps always updatedSecurity patches close vectors that many malware exploits opportunistically. Since these campaigns evolve rapidly, having the latest version of Android and your apps is a key defense.
Pay attention to permitsIf something doesn't fit the app's function, ask why it's needed, and if in doubt, deny it. Some security tools allow you to categorize and audit permissions to help you make a more informed decision.
Evaluate a solution of mobile security Trusted: Options like McAfee+, Bitdefender Mobile Security, or Kaspersky Internet Security for Android offer real-time protection and improved filtering of dubious installations. And, very importantly, keep Google Play Protect activated.
If you operate in regions without the Play Store, before installing an APK, run it through a recognized malware scanner and verify that the source is reliableHaste makes waste: Spending two minutes validating the origin can save you a lot of trouble.
What .NET MAUI Legitimately Does (and Why It Shouldn't Scare You)
It's worth remembering that .NET MAUI is a legitimate and powerful framework used by thousands of developers. In fact, it includes APIs designed to protect users, such as ISecureStorage (exposed as SecureStorage.Default), designed to store key–value pairs in a safe and with explicit limitations (ideal for small chains, not for large volumes). These capabilities are used daily in apps that respect your privacy.
There are also tools in the ecosystem that improve quality and response to failures such as Sentry, with SDK for .NET MAUI (Sentry.Maui) and dashboard for monitoring errors and events. Its purpose is to help teams detect problems, prioritizing them and resolving them more quickly, is not a spying mechanism.
In addition, there are productivity utilities of the ecosystem itself, such as the FileSaver of the .NET MAUI Community Toolkit, which allows you to propose a name and save a file to a user-selected path with system confirmation. These features are designed with system dialogs, permissions and platform best practices, and are part of normal app development.
Ultimately, the fact that attackers abuse .NET MAUI does not make the framework “dangerous” per se; it is just that its packaging and cross-platform nature provide a escape niche that advocates are already closing with better signatures and deeper analysis.
Attackers' internal strategies: layers, confusion, and C2
Summarizing the technical anatomy, the most repeated elements are: packaging in C# blobs uncommon for Android, layered encryption (combinations of XOR and AES) to hide strings and payloads, and phased loading to delay the exposure of actual functionality during analysis.
In parallel, the manipulation of the AndroidManifest.xml with random or inflated permissions to break heuristics and confuse automated tools, and the use of TCP sockets encrypted to communicate with C2 servers. This closed channel complicates interception and makes it harder to reconstruct the flow of stolen data.
With this cocktail, samples can remain active long periods undetected, recycled into new “brands” and expanded to other countries with few modifications. The fact that multiple variants with the same tricks already exist suggests that we are facing a trend, not isolated cases.
What to do if you suspect you've installed a scam app
If you notice any unusual signs (unusual usage, misplaced permissions, a disappearing icon, unrecognized messages or calls), act quickly. Uninstall the app, passes a scanner of proven reputation and immediately change key passwords (especially banking and email). Review bank transactions and activate alerts.
In severe cases, consider restoring the device to factory settings and reinstalling from scratch only apps from official sourcesA full wipe is the surest way to get rid of obscure lingering issues and return your device to a reliable state.
If the app was impersonating a specific service (e.g., your bank), notify the actual provider; many have procedures to revoke tokens, lock sessions, and help secure your accounts. Your warning can also help prevent other users from falling victim.
The practical conclusion is clear: even though these campaigns raise the technical bar, with prudent habits, the right tools, and attention to the signals, you can stay one step ahead. Download from official storesMonitoring permissions, updating, and using real-time security remains the recipe that most reduces risk.
This phenomenon demonstrates that attackers continue to evolve and seek out regions and formats to infiltrate; however, knowing how leverage .NET MAUI, what tactics they use (C# blobs, multi-layer encryption, inflated manifests, and encrypted C2), and where they are distributed (outside of Play, via third-party links and stores) gives you the tools to recognize the scam and protect your data without giving up legitimate apps that do use the framework responsibly.