Hackers use fake Google Play to mine cryptocurrency and steal funds

Traders Union
All News
Crypto
Hackers use fake Google Play

How the attack works

As SecureList notes, the campaign starts with a phishing site that closely mimics the Google Play interface. Users are prompted to download an app called INSS Reembolso, allegedly linked to Brazil’s social security system.

Once installed, the malware deploys in stages: it first downloads encrypted components, then executes the main payload directly in the device’s memory. This approach leaves no visible files, keeping the activity hidden from the user.

The malware also checks whether it is running in an emulated environment and shuts down if analysis is detected. Once the device is deemed “safe,” it loads additional modules, including an XMRig-based miner adapted for ARM devices. This connects the smartphone to attacker-controlled infrastructure and mines cryptocurrency in the background.

To remain undetected, the program monitors device conditions such as battery level, temperature, and user activity, activating mining only under suitable conditions. It also bypasses Android restrictions by playing an almost inaudible audio file to simulate app activity.

Theft and remote access

The malware’s capabilities go beyond mining. In some cases, it installs a banking trojan targeting Binance and Trust Wallet users, particularly during USDT transactions.

The malware overlays fake interfaces on top of legitimate apps and silently replaces wallet addresses. As a result, funds are redirected without the user noticing.

In addition, infected devices can be used to record audio, capture screenshots, send SMS messages, and log user activity. Command and control is handled via Firebase Cloud Messaging — a legitimate Google service — making detection more difficult.

Some variants also deploy BTMOB, a remote access tool distributed under a malware-as-a-service model. It gives attackers full control over the device, including access to the camera, GPS, and credentials.

Why it matters for the market

The case in Brazil highlights how threats in the crypto industry are evolving. While earlier risks were mostly tied to protocol exploits, attackers are now increasingly targeting users through phishing, fake interfaces, and social engineering.

Such schemes are becoming widespread. MaaS tools like BTMOB lower the barrier to entry, accelerating the spread of attacks. As a result, even using trusted platforms does not guarantee safety.

For companies, this means investing not only in infrastructure security but also in protecting user interactions — from warnings to monitoring fake domains. Binance and Google are already expanding such efforts, but attackers continue to adapt quickly.

For users, the takeaway is clear: verifying sources and avoiding third-party links is critical. As phishing grows, vigilance becomes the primary line of defense.

At the same time, risks are expanding across ecosystems. Google recently identified iOS vulnerabilities targeting crypto wallet seed phrases. Researchers from Google Threat Intelligence Group uncovered a toolkit called Coruna, designed to compromise iPhones running iOS versions from 13.0 to 17.2.1. This confirms that attacks are becoming cross-platform and affect users regardless of the system they use.

This material may contain third-party opinions, none of the data and information on this webpage constitutes investment advice according to our Disclaimer. While we adhere to strict Editorial Integrity, this post may contain references to products from our partners.