A new Android malware campaign aimed at their Hindi-speaking users, mostly in India, was discovered by McAfee’s Mobile Research Team. This advanced threat is a dangerous mix of financial data theft and hidden background cryptomining, making this an enormous threat to banking consumers. The malware deceives users by masquerading as legitimate Indian financial apps. It proliferates through phishing websites and employs social engineering tricks to trick, obfuscate and misdirect victims.
Moideenkutty, the malware specifically targets prominent Indian financial applications such as SBI Card, Axis Bank, and IndusInd Bank. Its ultimate aim is to hijack confidential banking credentials from unwary individuals. By posing as these highly reputable institutions, the attackers make it more likely that clueless users will download and install the malicious application. By employing the Hindi language, the campaign weaponizes it to directly target victims. This policy, combined with the existing safety climate, renders it a uniquely localized and pernicious threat.
Deceptive Distribution and Infection Tactics
The malware is propagated via phishing websites that closely mimic the legitimate online portals of Indian financial services. These fraudulent websites trick users into downloading the counterfeit apps, which look exactly like the real thing. Once on their device, the malware uses creative techniques to evade detection. It divides the loading process into two parts, so that the malicious code stays outside of the primary application package (APK).
When victims open the fraudulent app, they are met with a misleading login screen. It’s designed to feel exactly like a real financial app. For example, the malware displays a fake card management page with reassuring messages such as "You will receive email confirmation within 48 hours," further deceiving users into believing they are interacting with a legitimate service. This level of advanced mimicry is such that it’s nearly impossible for users to tell the difference between the fake app and the legitimate one.
The malware includes three hardcoded URLs that it’ll use to download a binary file. This redundancy provides the malware with multiple avenues to reach the elements it requires. As such, it is able to successfully carry out its nefarious deeds. By employing several different download locations, the adversaries make their campaign overall more resilient and less likely to be disrupted.
Cryptomining and Data Theft
This malware is a significant threat. It helps them mine cryptocurrency without the victims being aware, and attackers remotely initiate this activity through FCM. This would give the attackers ultimate control over the cryptomining activity without having to directly include the code in the original application. The malware passes a set of arguments to the process that exactly match the command-line options used by XMRig, a legitimate open-source mining tool.
XMRig enables the malware to performance mine cryptocurrency efficiently on infected devices. This nasty process of mining for crypto both bolsters the attackers’ bank account and exhausts the victimized device’s resources. Cryptomining activity operates quietly in the background, frequently unbeknownst to the user. This results in lower performance of the device and faster battery consumption.
As with many other cryptomining-exclusive malware attacks, this one includes malign intent to steal sensitive financial data from infected devices. Your banking login, credit card numbers, and other sensitive information can be used against you. Criminals can use this information to commit fraud and identity theft. This double whammy of financial data theft and cryptomining is what makes this malware so harmful and lucrative for the attackers.
