New Android Malware Targeting Cryptocurrency Wallets and Banking Applications
In recent years, cloud mining has become a convenient option for individuals interested in entering the cryptocurrency realm without extensive technical expertise or costly mining hardware. This concept offers users the opportunity to remotely mine digital currencies like Bitcoin or Ethereum by renting computing power from cloud mining companies.
However, along with the growth of this industry, a darker side has emerged. Cybercriminals have identified the potential for exploitation in cloud mining and have resorted to deceptive tactics to defraud unsuspecting individuals. Recently, Cyble Research & Intelligence Labs (CRIL) identified a cloud mining scam involving a Threat Actor (TA) operating a fraudulent website and distributing Android malware to unsuspecting victims through various phishing sites.
The discovered phishing site hxxps://cloudmining.uk[.]com claims to be a cloud mining platform and prompts users to download a malicious application to start mining. The TA behind this malicious scheme has put significant effort into designing the website to appear genuine, with the intention of tricking victims into downloading the malicious application.
The TA has implemented a deceptive tactic on its phishing site. Instead of properly redirecting users to the official Google Play or App Store platforms, they have just used the “Google Play” and “App Store” buttons. When users click on these buttons, the phishing site initiates the direct download of an APK file named “CloudMining.apk.” As a result, users unwittingly download the malicious application without being redirected to the legitimate app store platforms as intended.
While investigating the above phishing site, we encountered a Telegram channel called “CloudMiningTeam”, operated by the TA. This channel has been active since May 15, 2023, and the TA has been conducting a fraudulent campaign through it. The Telegram channel has a subscriber base of over 5000 individuals, and the TA regularly posts updates and information regarding the cloud mining scheme.
The TA is employing its Telegram channel to distribute yet another phishing website, hxxps://cloud-miner[.]cc. The phishing site closely resembles the interface of the website mentioned above and prompts users to download an identical APK file named “CloudMining.apk”.
The image below showcases one of the posts shared by the TA within the Telegram channel, disseminating the phishing link to unsuspecting users.
Furthermore, we have discovered an additional phishing website, hxxps://cloud-miner[.]top, that is also involved in this scam. While the UI of this phishing site differs from the previously mentioned sites, it follows a similar theme related to cloud mining. Just like the other phishing sites, this one also prompts the download of the same malware file named “CloudMining.apk.”
The TA has also provided the “Login” or “Register Now” buttons on the phishing sites. Upon clicking the buttons on any of these phishing sites, users are redirected to a common cloud mining scam website, hxxps://cloud-mining[.]vip. This fraudulent website allows users to create an account and purportedly earn profits through TRX (Tron) cloud mining.
To initiate the mining process, the phishing site instructs users to recharge their accounts by transferring TRX currency to the displayed QR code or wallet address, as shown in the below figure.
After granting the requested permissions, installing the “CloudMining.apk” leads to the launch of the same cloud mining scam website. However, in addition to opening the fraudulent scam website, the TA has added a malicious module within the application, as shown in figure 7. This module is designed to extract sensitive information from the infected device and targets various crypto wallets, as well as certain banking applications.
During our investigation, we noticed over 15 similar malware samples that employed different themes for distribution. These samples frequently utilized gaming or shopping mall names and icons.
Throughout this analysis, we will refer to this malware as the “Roamer” Banking Trojan due to the consistent presence of the tag name in the AppConfig class across all identified malicious applications.
For our technical analysis, we focused on a recently discovered malicious file called “CloudMining.apk”, which has a hash value of “d6102c5d1bd275100850b2d662e5168c1a081a0df34848436622bf8af793cc5b”. Notably, this specific application adopts the same icon as the Telegram channel but carries out malicious activities once installed. In the following section, we provide a comprehensive analysis of the malware.
Technical AnalysisÂ
APK Metadata Information  
- App Name: CloudMining
- Package Name: com.cminapp
- SHA256 Hash: d6102c5d1bd275100850b2d662e5168c1a081a0df34848436622bf8af793cc5b
  
Like other Banking Trojans, the Roamer Banking Trojan utilizes the Accessibility Service to perform malicious operations. Once installed, the malware requests the user to enable Accessibility Service, and once granted, it proceeds to abuse this service to extract sensitive information from the cryptocurrency wallet and banking applications.
The malware targets 17 cryptocurrency wallet applications and 9 banking applications. Below is the list of targeted applications:
| Application package names | Application names |
| com.vnpay.abbank | AB Ditizen |
| mobile.acb.com.vn | ACB One |
| com.snapwork.hdfc | HDFC Bank Mobile Banking App |
| com.mbmobile | MB Bank |
| vn.com.msb.smartBanking | MSB mBank |
| com.vsii.pvcombank | PV Mobile Banking |
| com.vnpay.SCB | SCB Mobile Banking |
| com.VCB | VCB Digibank |
| com.vietinbank.ipay | VietinBank iPay |
| com.binance.dev | Binance: BTC, Crypto, and NFTS |
| com.bitpie | Bitpie Wallet |
| com.bitso.wallet | Bitso |
| com.bybit.app | Bybit:Buy Bitcoin, Trade Crypto |
| com.coinbase.android | Coinbase: Buy Bitcoin & Ether |
| pro.huobi | Huobi: Buy Crypto & Bitcoin |
| com.legendwd.hyperpay | aelf Official Wallet |
| im.token.app | imToken: Crypto & DeFi Wallet |
| com.kubi.kucoin | KuCoin: BTC, Crypto Exchange |
| io.metamask | MetaMask – Blockchain Wallet |
| com.okinc.okex.gp | OKX: Buy Bitcoin, ETH, Crypto |
| com.paypal.android.p2pmobile | PayPal – Send, Shop, Manage |
| com.plunien.poloniex | Poloniex Crypto Exchange |
| io.safepal.wallet | SafePal: Crypto Wallet BTC NFT |
| vip.mytokenpocket | TokenPocket Wallet Crypto DeFi |
| com.tronlinkpro.wallet | TronLink Pro |
| com.wallet.crypto.trustapp | Trust: Crypto & Bitcoin Wallet |
The Roamer Banking Trojan verifies the package name of the application that the victim is interacting with. If it matches the targeted application, the malware extracts sensitive data, including crypto wallet details such as account balance, currency type, transaction amount, and recipient information. Additionally, Roamer also steals PINs and passwords from banking applications.
The malware checks the accessibility events to identify the elements of the targeted application. For example, in the case of the Huobi cryptocurrency wallet, the malware checks the component ID “pro.huobi:id/widget_balance_view” to determine the balance.
Along with retrieving the account balance, the malware also fetches the transaction details, such as the amount to be sent, the recipient’s wallet address, and the type of currency from the victim’s cryptocurrency wallet application, as shown in the figure below.
The malware actively monitors events associated with text fields, and upon detecting the specific field associated with cryptocurrency transactions, it automatically inserts the TA’s cryptocurrency address into the victim’s application. This allows transactions to occur without any user interaction, resulting in funds being transferred directly to the TA’s account.
In addition to targeting cryptocurrency wallet applications, Roamer also focuses on banks in India and Vietnam. Figure 13 illustrates the code implemented to extract net banking credentials specifically from HDFC Bank, a prominent national bank in India. The malware scans the elements of the HDFC banking application, including the login button and password or PIN text fields. When it identifies these specific fields, the malware saves the entered password and PIN in the Shared Preference file for unauthorized access later.
After stealing credentials from net banking and cryptocurrency wallet applications, Roamer malware stores them in the “config.xml” Shared Preference file. Subsequently, the stolen credentials are transmitted to the command and control (C&C) server hxxp://c58cmin.m8er2s[.]top:8092, as depicted in the figure provided below.
In addition to its primary function of stealing credentials from banking and cryptocurrency wallet applications, the Roamer Banking Trojan also receives commands from the C&C server to gather sensitive data from the infected device.
Below is the list of commands:
| Commands | Description |
| x0000myview | Receives code to execute different operations |
| x0000ca | Captures photos from a camera |
| x0000fm | Collects files |
| x0000lm | Collects location |
| x0000sm | Collects SMSs |
| x0000view | Open the Targeted application and collect screenshots |
Upon receiving the command “x0000ca” from the C&C server, the malware proceeds to capture photos using the infected device’s camera.
These captured pictures are then sent to the C&C server, as illustrated in the figure below.
The malware collects SMS data and files from the infected device along with location details based on commands received from the server.
When the malware receives the command “x0000view” from the C&C server, it opens the specified targeted application. The package name of the targeted application is received from the server along with the command. Once the application is launched, the malware captures a screenshot of the opened application and sends them to the server. As shown in the below figure, the malware is opening the Google Authenticator application and taking a screenshot. TAs can use the stolen screenshot to obtain a 2FA code for performing a fraudulent transaction.
The malware executes various operations upon receiving the command “x0000myview” from the C&C server. These operations involve auto-clicking components on the screen, unlocking and locking the device, taking screenshots, starting screen recording, and replacing clipboard data.
The code depicted in the provided figure is employed to initiate screen recording using Media Projection. This action is triggered when the Roamer Banking Trojan receives the command “x0000myview” along with the corresponding code “startMedia”.
When the Roamer Banking Trojan receives the command “x0000myview”, it can execute various operations based on the code as outlined in the table below:
| Code | Description |
| gesUnlock | Unlock dispatched gesture |
| pinUnlock | Unlock the device using a PIN |
| wakeup | Trigger wakeup event |
| slideup | Perform slide-up gesture |
| unlock | Unlock device |
| multiClick | Perform multiple clicks event |
| click | Perform click event |
| pos | Get device PIN |
| touch | Perform touch event |
| pwdUnlock | Unlock the device using the password |
| swap | Perform swap gesture |
| back | Perform back gesture |
| lock | Lock the device |
| notify | Send notification |
| capture | Capture photo |
| setpwd | Set stolen password in shared preference |
| showKeybord | Shows keyboard |
| hideKeybord | Hides keyboard |
| startMedia | Starts screen recording |
| stopMedia | Stops screen recording |
| startCapture | Starts capturing photos |
| stopCapture | Stop capturing photos |
Conclusion
The Roamer Banking Trojan poses a significant and widespread threat to cryptocurrency wallet applications and banking institutions. The TA responsible for this malicious scheme has utilized deceptive tactics, such as phishing websites and a fraudulent Telegram channel, to distribute the malware and expand their nefarious campaign.
The malware’s ability to target both cryptocurrency wallets and banking institutions amplifies the potential harm inflicted on victims, emphasizing the TA’s unwavering commitment to exploiting stolen information for financial gain. Users must exercise caution and refrain from following suspicious cryptocurrency mining channels on platforms like Telegram, as these channels can lead to substantial financial losses and compromise sensitive personal data.
Maintaining vigilance, implementing robust security measures, and staying informed about emerging cyber threats are essential for users and organizations to effectively mitigate the risks associated with the Roamer Banking Trojan and similar malware attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Means. |
| Initial Access | T1444 | Masquerade as a Legitimate Application |
| Collection | T1512 | Capture Camera |
| Impact | T1510 | Clipboard Modification |
| Discovery | T1418 | Application Discovery |
| Collection | T1412 | Capture SMS Messages |
| Collection | T1533 | Data from Local System |
| Collection | T1417 | Input Capture |
| Collection | T1430 | Location Tracking |
| Collection | T1513 | Screen Capture |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| d6102c5d1bd275100850b2d662e5168c1a081a0df34848436622bf8af793cc5b | SHA256 | Hash of Analyzed APK |
| ff93cdae77172006d1629527ca95da15d33ae69a | SHA1 | Hash of Analyzed APK |
| 3e3d84e158590b814a278ee689b99f61 | MD5 | Hash of Analyzed APK |
| hxxp://c58cmin.m8er2s[.]top:8092 | URL | C&C server |
| hxxps://cloudmining.uk[.]com/CloudMining.apk | URL | Distribution URL |
| 909e5a89ca4030d145c6da51646870cc48598b424008b5d03e8d365300df4e2f | SHA256 | CloudMining.apk |
| 1afb56b76610dcc433f1948eac5c22576d176ac0 | SHA1 | CloudMining.apk |
| cddd8e454b7d2d0b7c862b579ee80c18 | MD5 | CloudMining.apk |
| hxxps://cloud-miner[.]cc/CloudMining.apk | URL | Distribution URL |
| hxxps://cloud-miner[.]top/CloudMining.apk | URL | Distribution URL |
| dd844ef89c2d9d6b57b21af1488fada00812540d8aed8a2a663f6812cef7ba54 | SHA256 | Mining.apk |
| 1333ec12a65a153628eea6c3a5aeb4007f8fb690 | SHA1 | Mining.apk |
| c3e305a93e77a554edd204dde6686b9a | MD5 | Mining.apk |
| hxxps://down.mining-tron[.]vip/mining.apk | URL | Distribution URL |
| e756bd0253ffbaa9d47397428750d7ab16f06f035660c2738103b9ae39adf0c2 | SHA256 | Jardine%20City_336_obf.apk |
| b10fcb046ac22cfc99b58918499ff87d92d9fad6 | SHA1 | Jardine%20City_336_obf.apk |
| 4a43aff478c374cfa5c5e14ae197cecf | MD5 | Jardine%20City_336_obf.apk |
| hxxps://jardinecity.oss-cn-beijing.aliyuncs[.]com/Jardine%20City_336_obf.apk | URL | Distribution URL |
Comments are closed.