TLDR:
- Hackers are using fake Google Play Store pages in Brazil to distribute malware disguised as legitimate apps.
- The malware runs XMRig on infected Android devices, silently mining crypto while avoiding battery detection.
- A banking Trojan targets Binance and Trust Wallet, replacing wallet addresses during live USDT transactions.
- BTMOB RAT, a malware-as-a-service tool, gives attackers camera, GPS, and credential access on infected phones.
Android malware is spreading across Brazil through counterfeit Google Play Store pages, according to a new report by SecureList.
Hackers are using phishing websites to distribute apps that appear legitimate. Once installed, these apps silently convert infected phones into crypto mining devices.
Some variants also deploy a banking Trojan. The campaign currently targets Brazilian users exclusively, with newer versions spreading through WhatsApp and additional phishing channels.
Fake App Turns Phones Into Crypto Mining Machines
The campaign starts with a phishing website that closely mimics the Google Play Store. One of the fake apps is called INSS Reembolso, which claims to be tied to Brazil’s social security service.
The design copies trusted government branding and the Play Store layout, making the download appear safe to unsuspecting users.
After a user installs the fake app, the malware begins unpacking hidden code through multiple stages. It uses encrypted components and loads the main malicious code directly into the phone’s memory.
SecureList noted that “there are no visible files on the device, making it hard for users to detect any suspicious activity.”
The malware also takes steps to evade detection by security researchers. It checks whether the phone is running in an emulated environment and stops all activity if it detects one.
This evasion technique makes it harder to analyze in a lab setting. Android normally kills background apps to save battery, but the malware loops a silent audio file to fake active use.
Once the malware is fully active, it fetches a crypto mining payload from attacker-controlled infrastructure. This payload is a version of XMRig compiled for ARM devices, which are common in Android smartphones.
The infected device connects to mining servers and mines cryptocurrency silently in the background. According to SecureList, “the malware monitors the battery charge percentage, temperature, installation age, and whether the phone is being actively used,” with mining starting or stopping based on that data.
Banking Trojan Targets Binance and Trust Wallet Users
Beyond crypto mining, some versions of the malware install a banking Trojan that targets Binance and Trust Wallet.
During USDT transfers, the Trojan overlays fake screens on top of the real apps. It then quietly replaces the recipient wallet address with one controlled by the attacker.
The banking module also monitors popular browsers, including Chrome and Brave. SecureList confirmed the module “supports a wide range of remote commands,” including screen recording, audio capture, SMS sending, keystroke logging, device locking, and data wiping.
It additionally uses Firebase Cloud Messaging to receive instructions from attackers. All of these actions are carried out remotely without the user’s knowledge.
Other recent samples use the same fake app delivery method but switch the payload to BTMOB RAT. This remote access tool is sold in underground markets as part of a malware-as-a-service ecosystem. It provides deeper access, including camera control, GPS tracking, and credential theft.
SecureList confirmed that “all known victims are in Brazil,” though newer variants are also spreading through WhatsApp and other phishing pages.
BTMOB is actively promoted across online platforms, including YouTube and Telegram. Sales and support are handled through a dedicated Telegram account, which lowers the barrier for less-skilled attackers.
The post Hackers Use Fake Google Play Pages to Spread Crypto Mining Malware Across Brazil appeared first on Blockonomi.