Android Cryptojacker Masquerades as Banking App to Mine Cryptocurrency on Locked Devices

In this campaign, adversaries exploit phishing techniques by impersonating legitimate financial institutions, specifically, Axis Bank, to deceive users into installing a malicious Android app named “Axis Card”. Though it mimics a banking application visually, its actual purpose is to silently mine Monero cryptocurrency using infected devices’ CPU resources. The malware leverages an innovative stealth mechanism: it triggers cryptomining operations only when the device is locked, avoiding user suspicion and maximizing resource abuse.

Severity Level: High

Threat Details

1. Initial Infection: Victim is lured to a phishing site (getxapp[.]in) impersonating Axis Bank or via malicious links on messaging platforms like WhatsApp.
2. App Installation: The user downloads and installs the “Axis Card” APK. The app masquerades as a legitimate banking application using the Axis Bank icon and name.
3. Deceptive UI Display: On launch, the app shows a fake update screen with an “UPDATE” button. No real banking function is present. Clicking “UPDATE” initiates a staged install process that ends with an “installer expired” message.
4. Background Monitoring Begins: The app silently begins monitoring the device for lock status, battery level, and installation conditions using periodic checks every 5 seconds.
5. Payload Retrieval: Upon detecting device lock, the app attempts to download an encrypted mining payload (.so file). These payloads are variants of XMRig miner, encrypted to bypass detection.
6. Decryption & Execution: The downloaded payload is decrypted using AES and saved as d-miner in the app’s private directory. It is then marked executable.
7. Mining Initialization: Once decrypted, the miner connects to the mining pool at pool[.]uasecurity[.]org:9000 or its proxy and starts mining Monero (XMR) using 8 CPU threads and 2.3 GB RAM.
8. Lock-Unlock Behavior: Mining only runs when the device is locked. As soon as the device is unlocked, mining stops and the app returns to monitoring state. When the device locks again, mining resumes.
9. Continuous Operation: This loop continues indefinitely, exploiting idle device time while appearing benign to the user.
10. Reporting & Logging: The miner logs output into a report.txt file and uploads it to attacker infrastructure for monitoring performance and earnings.

Device Impact Over Time

• CPU Usage: >746%
• Memory Consumption: ~27.5%
• Temperature Rise: from 32°C to 45°C in 30 minutes
• User Visibility: None (background only, no visible interface)

Recommendations

1. Only install applications from trusted sources like the Google Play Store. Avoid APKs from third-party websites or unknown links.
2. Be suspicious of apps mimicking financial institutions, especially when prompted to download outside of official stores.
3. Verify app permissions during installation—beware of apps asking for unnecessary access (e.g., WAKE_LOCK, BOOT_COMPLETED, INSTALL_PACKAGES).
4. Educate users on how lock-state-triggered mining works and its symptoms: battery drain, overheating, and lag during idle periods.
5. Enable Google Play Protect to scan and verify app legitimacy continuously.
6. Use Mobile Threat Defense (MTD) solutions in BYOD and enterprise environments to monitor for anomalous behaviors and CPU abuse.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/4c85bec1c1bc81348e7869cee9883fd89bb7d8861047c72a5050d69e2c28a578/iocs

Source:

• https://www.seqrite.com/blog/android-cryptojacker-disguised-as-banking-app-exploits-device-lock-state/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.