Hackers mimic Google Play to spread crypto mining malware

Hackers are targeting victims via a new phishing scheme. According to a post from SecureList, hackers are using fake Google Play Store pages to spread an Android malware campaign in Brazil.

The harmful app appears to be a legitimate download, but once installed, it converts infected phones into crypto mining machines. Moreover, it is used to install banking malware and grant remote access to threat actors.

Hackers turn Brazilian smartphones into crypto mining machines

The campaign starts on a phishing website that looks almost identical to Google Play. One of the pages offers a fake app called INSS Reembolso, which claims to be linked to Brazil’s social security service. The UX/UI design copies a trusted government service and the Play Store layout to make the download appear safe.

After installing the fake app, the malware unpacks hidden code in multiple stages. It uses encrypted components and loads the main malicious code directly into memory. There are no visible files on the device, making it hard for users to detect any suspicious activity.

The malware also evades analysis by security researchers. It checks whether the phone is running in an emulated environment. If it detects one, it stops working.

After successful installation, the malware continues to pull down more malicious files. It shows another fake Google Play-style screen, then displays a false update prompt and pushes the user to tap the update button.

One of those files is a crypto miner, which is a version of XMRig compiled for ARM devices. The malware fetches the mining payload from attacker-controlled infrastructure. Then it decrypts it and runs it on the phone. The payload connects infected devices to mining servers controlled by the attackers to mine crypto silently in the background.

The malware is sophisticated and does not mine crypto blindly. According to SecureList’s analysis, the malware monitors the battery charge percentage, temperature, installation age, and whether the phone is being actively used. Mining starts or stops based on the monitored data. The goal is to stay hidden and reduce any chance of detection.

Android kills background apps to save battery, but the malware evades this by looping an almost silent audio file. It fakes active use to avoid Android’s auto-deactivation.

To continue sending commands, the malware uses Firebase Cloud Messaging, which is a legitimate Google service. This makes it easy for attackers to send new instructions and manage activity on the infected device.

Banking Trojan targets USDT transfers

The malware does more than mine coins. Some versions also install a banking Trojan that targets Binance and Trust Wallet, especially during USDT transfers. It overlays fake screens on top of the real apps, then it quietly replaces the wallet address with one controlled by the attacker.

The banking module also monitors browsers like Chrome and Brave and supports a wide range of remote commands. These include recording audio, capturing screens, sending SMS messages, locking the device, wiping data, and logging keystrokes.

Other recent samples keep the same fake app delivery method but switch to a different payload. They install BTMOB RAT, a remote access tool sold in underground markets.

BTMOB is part of a malware-as-a-Service (MaaS) ecosystem. Attackers can buy or rent it, which lowers the barrier to hacking and theft. The tool gives attackers deeper access, including screen recording, camera access, GPS tracking, and credential theft.

BTMOB is actively promoted online. A threat actor shared demos of the malware on YouTube, showing how to control infected devices. Sales and support are handled through a Telegram account.

SecureList stated that all known victims are in Brazil. Some newer variants are also spreading through WhatsApp and other phishing pages.

Sophisticated hacking campaigns like this are reminders to verify everything and trust nothing.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.