New Android Malware Impersonates Indian Banks to Steal Data & Secretly Mine Monero

The McAfee Mobile Research Team has uncovered a sophisticated Android malware campaign that poses a dual threat to Hindi-speaking users in India. Masquerading as legitimate apps from leading financial institutions like SBI Card, Axis Bank, and IndusInd Bank, the malware not only steals personal and banking information, but also silently mines Monero cryptocurrency (XMR) in the background — all while pretending to be a Google Play app update.

The campaign operates through phishing websites carefully designed to impersonate official Indian banking sites. These deceptive sites replicate real visual elements — logos, UI components, and domain styles — to trick users into downloading a fake app. Once installed, the app displays a screen that mimics the Google Play Store, prompting the user to “update” the app.

“These phishing pages load images, JavaScript, and other web resources directly from the official websites to appear legitimate,” the report explains.

Once the user proceeds, the malware executes a multi-stage payload to bypass detection. It starts with an encrypted DEX file hidden in the app’s assets, which decrypts in memory and loads a secondary, even more encrypted malicious component.

Upon activation, the malware presents a fake banking interface designed to harvest sensitive information:

• Full name
• Credit/debit card number
• CVV and expiry date

This data is then stealthily sent to the attacker’s command-and-control (C2) server. The user is further deceived with fake progress messages such as “You will receive email confirmation within 48 hours“, falsely reinforcing the illusion of legitimacy.

Beyond stealing financial data, this campaign engages in hidden cryptojacking — the unauthorized use of the victim’s phone to mine Monero (XMR). When triggered via Firebase Cloud Messaging (FCM), the malware downloads a native binary from one of three hardcoded URLs and executes it using ProcessBuilder, a Java class typically used for system commands.

“The malware passes a set of arguments to the process that exactly match the command-line options used by XMRig, an open-source mining tool,” the report notes.

This method allows the attacker to:

• Steal the victim’s CPU resources for prolonged Monero mining
• Stay hidden until receiving specific remote commands
• Use a modular architecture to evade detection tools

Notably, the app executes XMRig-compatible binaries, as confirmed by log messages that match those produced by the mining software.

While the campaign is laser-focused on Indian users, McAfee noted a limited number of infections in other regions, likely due to phishing links spreading beyond their intended audience.

In response to McAfee’s report, Google has blocked the associated Firebase Cloud Messaging account to curb the malware’s communication capabilities. Additionally, McAfee Mobile Security detects these apps as High-Risk threats.

Related Posts:

• Hackers use Youtube server ads hijack the computer to dig Monero
• Report: North Korea was using a malicious program to dig Monero
• New Android Banking Trojan Targets Indian Users Through Fake Apps
• McAfee: Mining cryptocurrencies with a PC is dangerous
• Chrome OS will support to run Android applications in the background