PSA: If you use NoxPlayer to play Android games on PC, read this

XDA

PSA: If you use NoxPlayer to play Android games on PC, you should read this

By Pranob Mehrotra

Published Feb 3, 2021

A hacker group gained access to NoxPlayer's server infra and has pushed malware to a few users in Asia, but BigNow claims the issue is fixed.

NoxPlayer users beware. A hacker group has gained access to the Android emulator's server infrastructure and has pushed malware to a few users in Asia. Slovak security firm ESET recently discovered the attack, and it has advised affected NoxPlayer users to reinstall the emulator to remove the malware from their systems.

For the unaware, NoxPlayer is an Android emulator that is popular among gamers. The emulator is primarily used to run Android games on x86 PCs, and it's developed by a Hong Kong-based company called BigNox. According to a recent report from ZDNet on the matter, a hacker group has gained access to one of the company's official API (api.bignox.com) and file-hosting servers (res06.bignox.com). Using this access, the group has tampered with the download URL of NoxPlayer updates in the API server to deliver malware to users.

In a report regarding the attack, ESET reveals that it has identified three different malware families that are being "distributed from tailored malicious updates to select victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities."

ESET further reveals that even though the attackers had access to BigNox servers since at least September 2020, they didn't target all of the company's users. Instead, the attackers focused on specific machines, suggesting that this was a highly-targeted attack looking to infect only a certain class of users. As of now, the malware-laden NoxPlayer updates have only been delivered to five victims located in Taiwan, Hong Kong, and Sri Lanka. However, ESET recommends all NoxPlayer users stay cautious. The security firm has laid out some instructions to help users figure out if their system has been compromised in its report.

In case users find an intrusion, they should reinstall NoxPlayer from clean media. Non-compromised users are advised not to download any updates until BigNox notifies that it has mitigated the threat. A BigNox spokesperson has told ZDNet that the company is working with ESET to investigate the breach further.

Following the publication of this article, BigNox reached out to ESET stating that they have taken the following steps to improve security for their users:

Use only HTTPS to deliver software updates in order to minimize the risks of domain hijacking and Man-in-the-Middle (MitM) attacks
Implement file integrity verification using MD5 hashing and file signature checks
Adopt additional measures, notably encryption of sensitive data, to avoid exposing users’ personal information

The company further told ESET that it has pushed the latest files to NoxPlayer's update server and that, upon startup, the tool will run a check of the files previously installed on users' machines.

This article was updated at 11:22 AM ET on February 3, 2021, to add a statement from BigNox, the developers of NoxPlayer.