McAfee’s Mobile Research Team uncovered an Android malware campaign targeting Hindi-speaking users in India by impersonating popular financial apps and distributing malicious apps via phishing websites. The malware steals personal financial information and clandestinely mines Monero cryptocurrency using XMRig, triggered remotely by Firebase Cloud Messaging (FCM). #XMRig #FirebaseCloudMessaging #Monero #SBI #AxisBank #IndusIndBank
Keypoints
- The malware targets Hindi-speaking users mainly in India by impersonating financial apps like SBI Card, Axis Bank, and IndusInd Bank via phishing websites.
- It uses a dropper app that dynamically decrypts and loads malicious payloads to evade static detection and analysis.
- The malware steals sensitive user information including names, card numbers, CVV, and expiration dates, sending them to a command-and-control server.
- A hidden cryptomining component mines Monero cryptocurrency in the background, activated by receiving specific commands via Firebase Cloud Messaging (FCM).
- The mining process uses a downloaded encrypted binary executed through ProcessBuilder with XMRig-compatible arguments.
- McAfee reported the malicious apps to Google, resulting in the blocking of the associated FCM account and detection of these apps as High-Risk threats by McAfee Mobile Security.
- Users are advised to download apps only from trusted sources and be cautious about financial information requests from unfamiliar apps and phishing links.
MITRE Techniques
- [T1566] Phishing – Distribution via phishing websites impersonating legitimate Indian banking sites to trick users into downloading malicious APKs (“phishing websites that impersonate Indian financial services”).
- [T1622] Masquerading – Malware impersonates legitimate financial apps and fake update screens mimicking Google Play (“the first screen the user sees looks like a Google Play Store page”).
- [T1204.002] User Execution: Malicious File – The dropper app requires the user to run and interact to install malicious payload (“app includes an encrypted DEX file…which is decrypted and loaded dynamically”).
- [T1105] Ingress Tool Transfer – Malware downloads encrypted binary files for mining from hardcoded URLs (“routine that attempts to download a binary file from external sources”).
- [T1059] Command and Scripting Interpreter – Use of ProcessBuilder to execute the mining binary (“uses ProcessBuilder…to directly execute the file like a standalone binary”).
- [T1496] Resource Hijacking: Cryptocurrency Mining – Background mining of Monero using XMRig triggered remotely via Firebase Cloud Messaging (“silently initiates a background mining process for Monero (XMR)…triggered via FCM”).
Indicators of Compromise
- [APK Hash] Malicious app samples targeting various banks – 2c1025c92925fec9c500e4bf7b4e9580f9342d44e21a34a44c1bce435353216c (SBI Credit Card), b01185e1fba96209c01f00728f6265414dfca58c92a66c3b4065a344f72768ce (ICICI Credit Card), and 3 more hashes.
- [URL] Phishing websites imitating Indian banks – https://www.sbi.mycardcare.in, https://kotak.mycardcard.in, and 3 more URLs.
- [Firebase Cloud Messaging (FCM) Account] Abused for command and control – 469967176169.