A group of hackers inserted malware into the NoxPlayer Android emulator

A mysterious hacking group compromised the server infrastructure of a popular Android emulator and delivered malware to a handful of victims across Asia in a highly targeted supply chain attack.

The attack was discovered by Slovak security firm ESET on January 25 last week and targeted BigNox, a company that makes NoxPlayer, a software client to emulate Android apps on Windows or macOS desktops.

ESET claims that based on the evidence gathered by its researchers, a threat actor compromised one of the company’s official APIs (api.bignox.com) and file hosting servers (res06.bignox.com).

Using this access, the hackers spoofed the NoxPlayer update download URL on the API server in order to deliver malware to the NoxPlayer users.

“Three different malware families have been spotted being distributed from personalized malicious updates to selected victims, with no signs of leveraging financial gain, but rather surveillance-related capabilities.” , ESET said in a report shared today with ZDNet.

Despite the evidence suggesting that attackers had access to BigNox servers since at least September 2020, ESET said the threat actor was not targeting all users in the company but instead focused on specific machines, suggesting that it was a very targeted attack seeking to infect certain class of users.

So far, and based on its own telemetry, ESET said it spotted NoxPlayer updates containing malware delivered to just five victims, located in Taiwan, Hong Kong and Sri Lanka.

ESET today released a report containing technical details for NoxPlayers to determine if they have received an update containing malware and how to remove it.

A BigNox spokesperson did not return a request for comment.

This incident is also the third supply chain attack discovered by ESET in the past two months. The first is the case of Able Desktop, software used by many Mongolian government agencies. The second is the case of VGCA, the official certification authority of the Vietnamese government.

ESET researchers have not officially linked this incident to a well-known hacking group. It’s unclear whether the NoxPlayer compromise is the work of a state-sponsored group or a financially motivated group seeking to compromise game developers.

ESET pointed out, however, that the three malware strains deployed via malicious updates to NoxPlayer had “similarities” to other malware strains used in a compromise on an office website’s supply chain. Myanmar presidential election in 2018 and early 2020 during an intrusion into a university in Hong Kong. .