Ddos 
CYFIRMA Threat Intelligence has released an in-depth technical report on GhostGrab, a sophisticated Android malware family that merges cryptocurrency mining and financial data theft into one hybrid payload. The analysis highlights GhostGrab as a new evolution in mobile cybercrime, capable of monetizing both the user’s personal data and device resources simultaneously.
In its report, CYFIRMA describes GhostGrab as “a sophisticated multifaceted Android malware family… representing a significant escalation in mobile threats, merging resource-oriented attacks with direct financial fraud.”
Unlike conventional Android stealers, GhostGrab doesn’t just exfiltrate sensitive financial data—it also turns the infected phone into a Monero cryptocurrency miner, draining its battery and CPU while stealing money in the background.
“GhostGrab functions as a hybrid threat, combining covert cryptocurrency mining operations with comprehensive data exfiltration capabilities,” CYFIRMA noted. “It is engineered to systematically harvest sensitive financial information, including banking credentials, debit card details, and one-time passwords (OTPs) via SMS interception.”
GhostGrab’s core functionality centers on multi-vector data theft, systematically collecting highly sensitive information from infected devices. CYFIRMA reports that the malware steals:
- Online banking credentials and transaction passwords.
- Debit and ATM card details, including CVV and PIN.
- Personally identifiable information such as Aadhaar numbers and mobile numbers.
- Full SMS history and OTP messages for account takeover and transaction fraud.
The report explains that GhostGrab also performs comprehensive device fingerprinting, collecting hardware details, SIM card data, and root status to tailor its persistence and exfiltration routines.
GhostGrab includes a hidden Monero mining module that activates after installation, connecting to attacker-controlled pools at pool.uasecurity[.]org:9000.
CYFIRMA observed that the dropper constructs command-line parameters for the cryptocurrency miner, including a hardcoded Monero wallet and configuration flags such as –tls and –nicehash.
The mining process consumes significant CPU power and battery life, generating direct profits for the attackers while degrading device performance.
GhostGrab deploys multiple localized phishing pages embedded within its APK assets, each loaded through a WebView that mimics legitimate banking portals. CYFIRMA described these as “staged phishing workflows that gradually collect increasingly sensitive information.”
The app guides victims through a fake Know Your Customer (KYC) process, requesting personal details, debit card numbers, CVVs, online banking credentials, and ATM PINs.
“The final phishing stage loads pin.html, prompting the user to enter their four-digit ATM PIN,” CYFIRMA wrote. “Once submitted, the attacker obtains all information necessary to execute account takeover, card cloning, or direct ATM fraud.”
Captured data is transmitted in real time to a Firebase Realtime Database controlled by the attacker, where each victim’s data is indexed by a unique device identifier.
To maintain long-term control, GhostGrab uses foreground services, alarm receivers, and broadcast listeners that reactivate the malware after every system event, including reboots, screen toggles, or network changes.
CYFIRMA explains:
“Continuous silent playback combined with a sticky foreground notification increases process priority and prevents Doze-mode throttling, allowing the malware to survive system kills.”
It also hides its app icon by replacing the default launcher category with CATEGORY.INFO, ensuring the application runs invisibly in the background.
GhostGrab uses Firebase Cloud Messaging (FCM) as its Command and Control (C2) channel, receiving attacker-issued commands for SMS interception, call forwarding, and data uploads.
CYFIRMA found that “when the malware receives a callForward command from its remote controller, it issues USSD sequences to enable or disable call forwarding on targeted SIM slots.”
Through these commands, attackers can reroute calls and OTPs to their own numbers, effectively bypassing two-factor authentication systems.
The infrastructure behind GhostGrab relies on a set of recently registered domains, including:
- kychelp[.]live – used as the initial malware delivery site.
- uasecurity[.]org – hosting C2 operations and Monero mining pools.
CYFIRMA notes that “the domain kychelp[.]live was registered on June 9, 2025, and last updated on June 14, 2025… its short lifespan and rapid rotation are typical of domains used in malicious campaigns.”
The report also links the campaign to the “APK protection” service advertised on access.uasecurity[.]org, which offers obfuscation and hardening services to conceal malicious Android packages.
CYFIRMA’s dynamic analysis revealed that the attacker’s Firebase backend contained structured repositories of stolen data — 1,519 captured SMS messages, 32 active client devices, and a separate control object used for remote management.
Each entry included device model, Android version, battery level, and SIM details, suggesting that GhostGrab’s operators are managing a large-scale and coordinated infection campaign.
Related Posts:
- Massive Android SMS Stealer Campaign Uncovered: Over 100,000 Malicious Apps Targeting Global Users
- Report: North Korea was using a malicious program to dig Monero
- New Android Malware Impersonates Indian Banks to Steal Data & Secretly Mine Monero
- Hackers use Youtube server ads hijack the computer to dig Monero
- APT36 Targets Indian Government with Sophisticated Phishing, Bypassing MFA with Real-Time OTP Harvest
Donate