Image: BigNox, ZDNet
A mysterious group of hackers has compromised the server infrastructure of a popular Android emulator and delivered malware to a handful of victims across Asia in a highly targeted attack on the supply chain.
The attack was discovered by Slovakian security firm ESET on January 25 last week, and targeted BigNox, a company that makes NoxPlayer, a software client to emulate Android applications on Windows or macOS desktops.
ESET claims that, based on the evidence gathered by its researchers, a threat actor has compromised one of the company’s official APIs (api.bignox.com) and file hosting servers (res06.bignox.com)
Using this access, hackers tampered with the download URL for NoxPlayer updates on the API server to deliver malware to NoxPlayer users.
“Three different malware families were found being distributed from personalized malicious updates to selected victims, with no sign of leverage of any financial gain, but rather resources related to surveillance,” ESET said in a report shared today with ZDNet.
Although evidence suggests that attackers have had access to BigNox servers since at least September 2020, ESET said that the threat actor was not targeting all users of the company, but rather focused on specific machines, suggesting that it was a highly targeted attack seeking to infect only a certain class of users.
To date, and based on its own telemetry, ESET said it has detected updates to NoxPlayer with malware being delivered to just five victims, located in Taiwan, Hong Kong and Sri Lanka.
Image: ESET
ESET today released a report with technical details for NoxPlayers to determine whether they received an update with malware and how to remove the malware.
A BigNox spokesman did not return a request for comment.
This incident is also the third attack on the supply chain discovered by ESET in the past two months. The first is the case with Able Desktop, software used by many government agencies in Mongolia. The second is the case with VGCA, the official certification authority of the Vietnamese government.
ESET researchers did not formally link this incident to a known group of hackers. It is unclear whether the NoxPlayer agreement is the work of a state-sponsored group or a financially motivated group looking to compromise game developers.
ESET, however, pointed out that the three malware strains deployed through malicious NoxPlayer updates were “similar” to other malware strains used in a supply chain compromise on the website of Myanmar’s presidential office in 2018 and early 2020 in an invasion at a Hong Kong university.