NoxPlayer
NoxPlayer updates distributed targeted malware.
BigNox, the company behind NoxPlayer (an Android emulator for PC/Mac), had its update mechanism compromised. Attackers delivered tailored malware payloads to specific users, primarily in Asian countries, without compromising the NoxPlayer software itself initially. The attackers gained access to BigNox's update infrastructure to deliver these malicious updates.
- Date
- 2020-09-01 to 2021-01-25
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Update infrastructure compromise
What Was Affected
Package
NoxPlayer
LanguageC++
ComponentApplication
Artifact typebinary archive
Domain typeproject download host
Domain
api.bignox.com
Compromised Versions
- Not specific versions of NoxPlayer itself, but its update mechanism was used.
Incident Context
- Motive
- Espionage
- Attribution
- Nation-state
- Transitive
- No
- User Impact
- 5
- Observed Duration
- 146 days
Evidence
Compromised Artifacts
- Malicious updates delivered via BigNox's update infrastructure (e.g., api.bignox.com, res06.bignox.com) to targeted users.
Current Artifacts and Analysis
- https://securelist.com/operation-noxplayer/100644/ # Original Securelist (Kaspersky) analysis (Link confirmed dead, needs alternative or removal)
- https://www.eset.com/int/about/newsroom/press-releases/research/eset-discovers-operation-noxplayer-supply-chain-attack-infiltrates-gaming-community-in-asia/ # Original ESET Press Release (Link confirmed dead, needs alternative or removal)
External References
- https://securelist.com/operation-noxplayer/100644/ # Original Kaspersky report (Link confirmed dead, needs alternative)
- https://www.eset.com/int/about/newsroom/press-releases/research/eset-discovers-operation-noxplayer-supply-chain-attack-infiltrates-gaming-community-in-asia/ # Original ESET press release (Link confirmed dead, needs alternative)
Source Data
Source record: proprietary/noxplayer/meta.yaml