Thamera¶
Android trojan notable for being written in .NET Framework using the cross-platform .NET MAUI framework, which is highly unusual for Android malware and complicates traditional static analysis tools designed for Java/Kotlin bytecode. Tracked by Kaspersky in Q3 2023, Thamera turns target devices into proxies for creating accounts on social networks.
Overview¶
| Property | Value |
|---|---|
| First Seen | 2023 |
| Type | Trojan (proxy / social media account farming) |
| Attribution | Unknown |
| Aliases | Trojan.AndroidOS.Thamera (Kaspersky), Trojan:AndroidOS/Thamera.A!MTB (Microsoft) |
Distribution¶
Unknown specific vector. Concentrated in India per Kaspersky Q3 2023 statistics.
Capabilities¶
| Capability | Implementation |
|---|---|
| Proxy creation | Turns devices into proxies for social network account creation |
| .NET MAUI framework | Written in .NET, defeating standard Android decompilers (jadx, apktool) |
| Account farming | Automated social media account creation through proxied connections |
Significance¶
Thamera's use of .NET MAUI is its most interesting aspect from a reversing perspective. Standard Android analysis tools expect Dalvik bytecode or native ARM code. .NET MAUI apps package their logic in .NET assemblies that require different tooling (ILSpy, dnSpy) for analysis. McAfee documented broader adoption of .NET MAUI by Android malware campaigns specifically to evade detection.