NoxPlayer Android Emulator Supply-Chain Attack

It seems to be the season of sophisticated supply-chain attacks.

This one is in the NoxPlayer Android emulator:

ESET says that based on evidence its researchers gathered, a threat actor compromised one of the company’s official API ( and file-hosting servers (

Using this access, hackers tampered with the download URL of NoxPlayer updates in the API server to deliver malware to NoxPlayer users.


Despite evidence implying that attackers had access to BigNox servers since at least September 2020, ESET said the threat actor didn’t target all of the company’s users but instead focused on specific machines, suggesting this was a highly-targeted attack looking to infect only a certain class of users.

Until today, and based on its own telemetry, ESET said it spotted malware-laced NoxPlayer updates being delivered to only five victims, located in Taiwan, Hong Kong, and Sri Lanka.

I don’t know if there are actually more supply-chain attacks occurring right now. More likely is that they’ve been happening for a while, and we have recently become more diligent about looking for them.

Posted on February 8, 2021 at 6:34 AM3 Comments


Impossibly Stupid February 8, 2021 10:02 AM

I don’t know if there are actually more supply-chain attacks occurring right now.

I think it’s more the case of previously common incidents being classified under a new, fashionable umbrella. Personally, I don’t see anything here that makes this a supply chain attack. Company servers have been hacked to deliver malware and launch targeted spear phishing attacks for ages. There was nothing in the article that indicated to me that this Android emulator was part of any sort of supply chain.

xcv February 8, 2021 11:03 AM

I don’t know if there are actually more supply-chain attacks occurring right now

I don’t like the supply-chain mentality. Silicon Valley bosses have delusions of Chinese gang labor cranking out all their stuff to order with just-in-time delivery under U.S. Navy protection.

If they had any honesty or self-respect, the consumer device manufacturers would publish specs for the basic component parts they want to order, and put the job out for public bid to keep domestic production in business.

But they have “something to hide” with all that foreign influenced intellectual property crapola and they are not interested in doing that.

Clive Robinson February 8, 2021 12:18 PM

@ Bruce, ALL,

It seems to be the season of sophisticated supply-chain attacks.

Let me say straight off, it’s probably a good sign that supply chain attacks, like phishing attacks have become the top types of attack respectively.

Why a “good sign”… well because it means other types of attack have become less successful.

But we should not be complacent because in effect “the low hanging fruit” have become unavailable in this season, thus it’s now time for the slightly higher level fruit to get munched upon.

But two things to note,

1, Low hanging fruit comer around every new season.
2, Some evolve so that they operate beyond the low hanging fruit at all times.

One thing the ICTsec industry should be (in)famous for is not learning from it’s history of even half a decade ago… Thus the ICTsec “seasons” are lamentabley short in duration unlike other fields of endeavour.

Another thing to note is supply line poisoning has been going on for literally years…

Who’s old enough to remember the original Microsoft Word macro virus, shipped out in POC form on Microsoft’s tech support CD’s?

How about the Apple iPod shipped with Windows malware?

How about Epos terminals that had built in cellular modems so that card details could be sent to China?

Oh and how many don’t remember that photograph of the NSA intercepting boxes of network equipment and inserting implants?

The root cause in all cases except perhaps the first is “long supply lines” with “multiple nodes”…

The US DOD got it’s panties in a tight wad (knickers in a twist) publically getting on for a couple of decades ago over what it called Supply chain poisoning when it finally woke up and realised that most IC fabrication was not done in the US but the Far East. They put out requests for people to come up with ideas of how to solve the problem. As @Nick P pointed out the most interesting contenders suddenly went quiet, which probably ment the DOD through DARPA gave them big grants and enveloped them in secrecy.

But as I’ve frequently pointed out for more than a quater of a century two things were to blaim,

1, Political mantras to excuse Laying off of skilled staff.

2, Outsourcing to unskilled staff abroad where developers could be had for less thwn 1/10th of the costs in the US.

Not only was this a false very short term saving (technical debt) it also ment loyalty could be had away for a company for a few shekels. So labour cost less on this years balance sheet but all those other costs went embarisingly up year after year way faster than the rate of inflation or cost of living. So MBA 101 solution “double down”…

I could go on but there is a fundemental rot in the US version of capitalism, and it’s mostly due to lies taught to the likes of MBA’s etc, to hide the real neo-con “rape and pillage” mentality.

Which means the stupidity is now ingrained in managment for the next thirty years or so, unless of course COVID or something simillar shakes the tree hard enough to shake those baboons out, hopefully to fall and never rise again.

But on the security aspect long supplie chains are a compleate disaster due to another MBA style mantra of “110%” efficiency which is obviously preposterous, even 90% is not realisticaly achievable even for very short periods of time.

Nature has shown repeatedly that 1-1/e is an interesting number it’s 63.21%… engineers know it mainly as the “time constant” for exponential circuits and many other processes with 5CR giving

But importantly nature has kind of decreed by example over the eons that 1-1/e is as far as we can tell, the optimum value for survivability in the face of uncertainty and random events…

Anything above that is “in the danger zone” and will become increasingly fragile.

Security in real terms is little different, something short term “grab it and run” neo-con thinking tries it’s best to ignore but incteasingly fails due to it trying to also “buy out the competition”… Eventually you get to “last man standing” and he is a very weary depleated, with no reserves fragile example of what should be…

Which id why you should always remenber,

Some evolve so that they operate beyond the low hanging fruit at all times.

These people operate at Level III or the equivalent of “Nation State Level” they are almost by definition “robust” not “fragile”. They survive and easily defeat “fragile” most of the time because with fragility comes the lack of foresight to have capable mitigations and defences.

It is this which is giving us this,

sophisticated supply-chain attacks

And it’s “seasonality” is due to the ICTsec industry,

Not Learning from it’s history.

Nearly everything else you might think might be the cause is due to just “coincidence”…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.