Dual-Purpose Android Malware Targets Indian Banking Users for Financial Theft & Crypto Mining

Published Date: August 5, 2025
Category: ShadowOpsIntel
Share:

McAfee Labs recently uncovered a sophisticated Android malware campaign actively targeting Indian banking users. This campaign uniquely combines financial credential theft with stealth cryptocurrency mining, focusing on Hindi-speaking users. Distributed via phishing websites mimicking trusted Indian financial institutions, the malware acts as a dropper and uses Firebase Cloud Messaging (FCM) to execute its payload stealthily.

Severity Level: High

Threat Details

  1. Region Affected: Primarily targets India with localized lures; limited detections globally.
  2. Industries Affected: Financial services, mobile banking users
  3. Delivery & Infection Mechanism
    • Phishing Sites:
      • Clone official Indian bank sites (e.g., www.sbi.mycardcare[.]in, kotak.mycardcard[.]in)
      • Deliver fake Android APKs disguised as legitimate app updates
    • Dropper Technique:
      • Malware APKs initially appear benign
      • On execution, they decrypt and load a secondary malicious payload
    • Stages:
      • Encrypted DEX loader file is decrypted using XOR key
      • Loader fetches and decrypts a second-stage payload
      • Final payload mimics banking interface to phish credentials
  4. Credential Theft Operation
    • Fake UI mimics real banking apps
    • Prompts victims for: Cardholder name, Credit card number, CVV, Expiry date
    • Stolen data exfiltrated to C2 servers
  5. Cryptocurrency Mining Functionality
    • Uses XMRig (an open-source Monero miner)
    • Triggered via Firebase Cloud Messaging (FCM) commands
    • Executes hidden background mining on mobile devices using:
      • Downloaded .so binary (native library)
      • Java ProcessBuilder to simulate legitimate mining CLI
    • Hardcoded URLs used to download encrypted mining binaries
  6. Stealth & Evasion
    • Multi-stage payload loading to evade static analysis
    • Use of Firebase for remote activation and C2 commands
    • Combines social engineering (banking disguise) with technical obfuscation

Recommendations

  1. Only download mobile apps from official app stores like Google Play. Avoid installing APKs shared via messaging apps, emails, or unofficial websites.
  2. Avoid clicking on links received through SMS, WhatsApp, or social media, especially those claiming to be banking or financial services.
  3. Ensure that Google Play Protect is turned on to scan for harmful apps on Android devices.
  4. Install a reputable mobile security solution that detects phishing and malware threats in real-time.
  5. Train users – especially those in finance or using BYOD – to recognize fake banking apps, phishing messages, and unusual battery drain (sign of cryptomining).
  6. Establish clear policies for BYOD vs. corporate devices, particularly when handling sensitive financial data.
  7. Apply the latest Android security patches across all endpoints to reduce the chance of exploitation by loaders or privilege escalation modules.
  8. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/8c85b5a260fb0069c8da875ca68550ab70d00fd03ccd6e201bed27d83842decc/iocs

Source:

  • https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert