TechFlow News: On March 22, SecureList reported that hackers launched an Android malware campaign in Brazil using phishing pages impersonating the Google Play Store. All known victims to date are located in Brazil.
The attackers set up phishing websites highly resembling the Google Play Store to lure users into downloading a counterfeit app named “INSS Reembolso.” Once installed, this app releases hidden malicious code in stages and loads it directly into memory for execution—leaving no visible files on the device, thereby achieving strong stealthiness.
One core functionality of the malware is cryptocurrency mining. It embeds an ARM-compiled XMRig mining program that silently connects to mining servers controlled by the attackers in the background. The program monitors battery level, device temperature, and usage status to dynamically adjust mining activity and evade detection. Additionally, it bypasses Android’s background process management mechanism by continuously playing silent audio files.
Some variants also include banking trojan functionality, overlaying fake interfaces on the USDT transfer screens of Binance and Trust Wallet to silently replace the recipient address. Furthermore, the malware supports multiple remote control commands, including audio recording, screenshot capture, keystroke logging, and remote device locking.
