Hackers target gamers with a supply-chain attack

Cyber criminals have compromised an Android emulator and used it to infect gamers’ devices with malware

Security researchers have discovered hackers have compromised an Android emulator and used it to infect gamers’ devices with malware.

According to researchers at ESET, a new supply-chain attack compromising the update mechanism of NoxPlayer, an Android emulator that helps 150 million users worldwide play mobile games on their PCs and Macs, was discovered late last month.

Currently, the supply-chain attack has infected gamers in Asia with three malware strains. There is no sign of hackers using the malware for financial gain, but researchers have discovered hackers are using the malware for surveillance.

The company behind NoxPlayer is Hong Kong-based BigNox, and NightScout is the cyber criminal group initiating the attacks. Security researchers said hackers compromised BigNox's res06.bignox.com storage servers and abused the api.bignox.com API infrastructure to install payloads. 

As of this writing, BigNox has denied being affected by the intrusion.

Researchers discovered indicators of compromise in September 2020, but it wasn’t until January 25 that they uncovered explicitly malicious activity. They immediately reported the malicious activity to BigNox.

“We have sufficient evidence to state that the BigNox infrastructure (res06.bignox.com) was compromised to host malware, and to suggest that their HTTP API infrastructure (api.bignox.com) could have been compromised. In some cases, additional payloads were downloaded by the BigNox updater from attacker-controlled servers,” researchers said.

According to further investigations, researchers said that out of the 100,000 of its users that also had NoxPlayer installed, only five received a malicious update. They said this showed that “Operation NightScout” as they called it, was a “highly targeted operation.” 

Victims are based in Taiwan, Hong Kong, and Sri Lanka. Researchers have not yet found any evidence of affected gamers in the US.

“We were unsuccessful in finding correlations that would suggest any relationships among victims. However, based on the compromised software in question and the delivered malware exhibiting surveillance capabilities, we believe this may indicate the intent of collecting intelligence on targets somehow involved in the gaming community,” said researchers.

Researchers said that gamers should “perform a standard reinstall from clean media” in case of intrusion.

“For non-compromised users: do not download any updates until BigNox notifies that it has mitigated the threat,” added researchers.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021
Alibaba ECS instances targeted in new cryptojacking campaign
cryptocurrencies

Alibaba ECS instances targeted in new cryptojacking campaign

16 Nov 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022