McAfee’s Mobile Research Team has uncovered a sophisticated malware campaign targeting Android users, particularly those who speak Hindi in India. This operation cleverly disguises itself as legitimate financial applications from well-known institutions such as SBI Card, Axis Bank, and IndusInd Bank.
The malware is distributed via dynamically generated phishing websites that closely resemble official banking portals. By utilizing authentic assets, including images and JavaScript from legitimate sites, these phishing sites enhance their credibility and lure unsuspecting users.
Dual-Threat Campaign
What distinguishes this malware is its dual functionality. It not only exfiltrates sensitive personal and financial data but also covertly mines Monero cryptocurrency using the open-source XMRig tool, which can be activated remotely via Firebase Cloud Messaging (FCM). The malware masquerades as a Google Play update, preying on user trust and prompting installations that ultimately lead to data theft.
As a proactive member of the App Defense Alliance, McAfee promptly reported these threats to Google, leading to the blocking of the associated FCM account to prevent further distribution of the malware. All variants of this malware have been classified as high-risk by McAfee Mobile Security, with telemetry indicating that infections are primarily concentrated in India, although isolated incidents have been reported in other regions.
Cryptomining Payload
The malware employs a multi-stage dropper architecture designed to evade static analysis and detection. Upon installation, the APK presents a counterfeit Google Play interface that prompts users for an “update.” Internally, it decrypts an encrypted DEX file from its assets folder using an XOR key. This first-stage loader then decrypts and dynamically loads a second-stage payload, which appears as a fake financial app interface.
Users are encouraged to input sensitive information such as names, card numbers, CVVs, and expiration dates, which are subsequently transmitted to a command-and-control (C2) server.
After users submit their details, the app displays a misleading confirmation page, simulating legitimacy with messages about email verifications within 48 hours, despite all functionalities being non-operational. Embedded within the second-stage code is a Firebase messaging service declared in the manifest, which listens for remote commands that activate the mining component.
This process involves downloading an encrypted .so binary from one of three hardcoded URLs, which is executed via Java’s ProcessBuilder as a standalone process, mirroring XMRig’s command-line options, including specifications for Monero mining pools. The RandomX algorithm, optimized for CPU efficiency, allows for profitable mining on mobile devices, while Monero’s privacy features obscure transactions, aiding cybercriminals in laundering their illicit gains.
Logs from the decrypted binary confirm the involvement of XMRig, enabling silent background operations without user awareness. This campaign builds upon previous threats targeting India, as highlighted in McAfee’s earlier reports, but innovates by integrating real-time phishing with dynamic payload loading and remote activation.
The staged decryption of the dropper complicates reverse engineering efforts, while FCM-based triggers keep the malware dormant until activated, significantly reducing the risk of detection. Phishing sites often feature “Get App” buttons that deliver the malicious APK, frequently promoted through SMS, WhatsApp, or social media channels.
To mitigate risks, users are advised to download apps exclusively from Google Play, scrutinize unsolicited links, and utilize robust mobile security solutions to defend against such threats. This combination of data theft and cryptojacking highlights the evolving sophistication of malware, necessitating vigilant user practices and advanced security measures.
Indicators of Compromise (IOCs)
| Type | Value | Description |
|---|---|---|
| APK | 2c1025c92925fec9c500e4bf7b4e9580f9342d44e21a34a44c1bce435353216c | SBI Credit Card |
| APK | b01185e1fba96209c01f00728f6265414dfca58c92a66c3b4065a344f72768ce | ICICI Credit Card |
| APK | 80c6435f859468e660a92fc44a2cd80c059c05801dae38b2478c5874429f12a0 | Axis Credit Card |
| APK | 59c6a0431d25be7e952fcfb8bd00d3815d8b5341c4b4de54d8288149090dcd74 | IndusInd Credit Card |
| APK | 40bae6f2f736fcf03efdbe6243ff28c524dba602492b0dbb5fd280910a87282d | Kotak Credit Card |
| URL | https://www.sbi.mycardcare.in | Phishing Site |
| URL | https://kotak.mycardcard.in | Phishing Site |
| URL | https://axis.mycardcare.in | Phishing Site |
| URL | https://indusind.mycardcare.in | Phishing Site |
| URL | https://icici.mycardcare.in | Phishing Site |
| Firebase | 469967176169 | FCM Account |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
