Cyber-attack that targets NoxPlayer Android emulator app gamers with malware

February 6, 2021
noxplayer bignox android emulation app hijacked server malware nightscout hacking group

Cybersecurity researchers have recently discovered that NoxPlayer, an Android emulation app for Windows and Mac OS made by a Hong Kong-based company BigNox was compromised via its updating mechanism. The unidentified threat actor hijacked the update process and infected gamers with malware.

NoxPlayer is currently used by gamers from 150 countries around the world. Still, the security researchers have found data analysis that in January 2021, the supply-chain attack was focused only on infecting Asian gamers using at least three different malware strains.

Dubbed as NightScout, the hacking group behind the operation exploited BigNox’s storage DNS and infrastructure to store and deliver the malware API infrastructure in deploying the payloads.

The cybersecurity researcher has sufficient evidence to state that BigNox’s infrastructure server has been hijacked to host malware and suggests that the API infrastructure may have also been compromised. In some cases within the analyzed data payloads have been downloaded by the updater from the compromised servers.

An unknown malware and the extensively used Gh0st remote access trojan (RAT) has been included in the malicious updates that have been delivered through NoxPlayer’s compromised update function. The third malware, PoisonIv RAT, has also been discovered during the attack chain investigation but was delivered as a second-stage payload coming from the attackers’ infrastructure and not via deployed malicious NoxPlayer updates.


It has been projected to have infected many computers installed with NoxPlayer between September 2020 when the attack started until January 2021 when it was only discovered.


Instead, the threat actors have chosen to infect five targets from Hong Kong, Taiwan, Sri Lanka, revealing the hacking operation’s intention. This cyber-espionage operation from Nightscout is somewhat different and peculiar as it focused on gaming community targets instead of other detected campaigns that targeted government and banking in collecting data.

Everyone who uses NoxPlayer has been advised to perform a standard reinstallation from clean media in case of intrusions. For the uninfected NoxPlayer users, it is recommended to not download updates until BigNox send notifications that the threat has been mitigated. Still, the best practice is to uninstall the software to avoid compromise.

About the author

Leave a Reply