NoxPlayer (Android emulator): the update mechanism compromised for cyber espionage

NoxPlayer (Android emulator): The compromised update mechanism for cyber espionage

A supply chain attack has been exposed by ESET. It hit BigNox with the compromise of the NoxPlayer update mechanism.

Slovakian cybersecurity solutions publisher ESET discovered a new attack on a supply chain last month. It concerned the Hong Kong-based company BigNox which offers NoxPlayer, an Android emulator on Windows and macOS.

NoxPlayer allows you to play mobile games on computers. BigNox claims over 150 million users in over 150 countries and 20 different languages. The majority of users are nevertheless in Asia.

According to ESET, the update mechanism of NoxPlayer has been compromised to allow the distribution of three families of malware .

The supply chain attack hit a BigNox API and its file hosting infrastructure. Attackers altered the download address of NoxPlayer updates to distribute malware to users.

Selected victims

According to telemetry data from ‘ESET with users equipped with its security solutions, the first indicators of compromise date back to September 2020. Of the more than 100,000 users who installed NoxPlayer on their machines, only five received a malicious update.

Also taking into account the nature of malware, ESET refers to a highly targeted cyber espionage campaign. A priori, to collect information on the gaming community in Asia. Known as NightScout, the operation is said to have mainly claimed victims in Taiwan, Hong Kong and Sri Lanka.

Following the publication of its report earlier this week, ESET today received a response from BigNox which declares to have taken the necessary measures to improve the security of its users. Initially, BigNox had denied a compromise, but this would have been a misunderstanding.