Roamer Android Banking Trojan Crypto

Cloud Mining Scam Distributes Roamer Banking Trojan

New Android Malware Targeting Cryptocurrency Wallets and Banking Applications

In recent years, cloud mining has become a convenient option for individuals interested in entering the cryptocurrency realm without extensive technical expertise or costly mining hardware. This concept offers users the opportunity to remotely mine digital currencies like Bitcoin or Ethereum by renting computing power from cloud mining companies.

However, along with the growth of this industry, a darker side has emerged. Cybercriminals have identified the potential for exploitation in cloud mining and have resorted to deceptive tactics to defraud unsuspecting individuals. Recently, Cyble Research & Intelligence Labs (CRIL) identified a cloud mining scam involving a Threat Actor (TA) operating a fraudulent website and distributing Android malware to unsuspecting victims through various phishing sites.

The discovered phishing site hxxps://[.]com claims to be a cloud mining platform and prompts users to download a malicious application to start mining. The TA behind this malicious scheme has put significant effort into designing the website to appear genuine, with the intention of tricking victims into downloading the malicious application.

The TA has implemented a deceptive tactic on its phishing site. Instead of properly redirecting users to the official Google Play or App Store platforms, they have just used the “Google Play” and “App Store” buttons. When users click on these buttons, the phishing site initiates the direct download of an APK file named “CloudMining.apk.” As a result, users unwittingly download the malicious application without being redirected to the legitimate app store platforms as intended.

Figure 1 – Phishing website distributing Android malware

While investigating the above phishing site, we encountered a Telegram channel called “CloudMiningTeam”, operated by the TA. This channel has been active since May 15, 2023, and the TA has been conducting a fraudulent campaign through it. The Telegram channel has a subscriber base of over 5000 individuals, and the TA regularly posts updates and information regarding the cloud mining scheme.

Figure 2 – TA’s Telegram channel running a fraudulent mining scheme

The TA is employing its Telegram channel to distribute yet another phishing website, hxxps://cloud-miner[.]cc. The phishing site closely resembles the interface of the website mentioned above and prompts users to download an identical APK file named “CloudMining.apk”.

The image below showcases one of the posts shared by the TA within the Telegram channel, disseminating the phishing link to unsuspecting users.

Figure 3 – Post shared by TA mentioning phishing link

Furthermore, we have discovered an additional phishing website, hxxps://cloud-miner[.]top, that is also involved in this scam. While the UI of this phishing site differs from the previously mentioned sites, it follows a similar theme related to cloud mining. Just like the other phishing sites, this one also prompts the download of the same malware file named “CloudMining.apk.”

Figure 4 – Phishing site distributing Android malware

The TA has also provided the “Login” or “Register Now” buttons on the phishing sites. Upon clicking the buttons on any of these phishing sites, users are redirected to a common cloud mining scam website, hxxps://cloud-mining[.]vip. This fraudulent website allows users to create an account and purportedly earn profits through TRX (Tron) cloud mining.

Figure 5 – Cloud Mining scam website

To initiate the mining process, the phishing site instructs users to recharge their accounts by transferring TRX currency to the displayed QR code or wallet address, as shown in the below figure.

Figure 6 – Prompting users to transfer TRX currency to the TA’s wallet address

After granting the requested permissions, installing the “CloudMining.apk” leads to the launch of the same cloud mining scam website. However, in addition to opening the fraudulent scam website, the TA has added a malicious module within the application, as shown in figure 7. This module is designed to extract sensitive information from the infected device and targets various crypto wallets, as well as certain banking applications.

Figure 7 – Malware module and targeted wallets, along with banks

During our investigation, we noticed over 15 similar malware samples that employed different themes for distribution. These samples frequently utilized gaming or shopping mall names and icons.

Throughout this analysis, we will refer to this malware as the “Roamer” Banking Trojan due to the consistent presence of the tag name in the AppConfig class across all identified malicious applications.

Figure 8 – App config

For our technical analysis, we focused on a recently discovered malicious file called “CloudMining.apk”, which has a hash value of “d6102c5d1bd275100850b2d662e5168c1a081a0df34848436622bf8af793cc5b”. Notably, this specific application adopts the same icon as the Telegram channel but carries out malicious activities once installed. In the following section, we provide a comprehensive analysis of the malware.

Technical Analysis 

APK Metadata Information  

  • App Name: CloudMining
  • Package Name: com.cminapp
  • SHA256 Hash: d6102c5d1bd275100850b2d662e5168c1a081a0df34848436622bf8af793cc5b


Like other Banking Trojans, the Roamer Banking Trojan utilizes the Accessibility Service to perform malicious operations. Once installed, the malware requests the user to enable Accessibility Service, and once granted, it proceeds to abuse this service to extract sensitive information from the cryptocurrency wallet and banking applications.

The malware targets 17 cryptocurrency wallet applications and 9 banking applications. Below is the list of targeted applications:

Application package namesApplication names
com.vnpay.abbankAB Ditizen One
com.snapwork.hdfcHDFC Bank Mobile Banking App
com.mbmobileMB Bank mBank
com.vsii.pvcombankPV Mobile Banking
com.vnpay.SCBSCB Mobile Banking
com.VCBVCB Digibank
com.vietinbank.ipayVietinBank iPay
com.binance.devBinance: BTC, Crypto, and NFTS
com.bitpieBitpie Wallet
com.bybit.appBybit:Buy Bitcoin, Trade Crypto
com.coinbase.androidCoinbase: Buy Bitcoin & Ether
pro.huobiHuobi: Buy Crypto & Bitcoin
com.legendwd.hyperpayaelf Official Wallet
im.token.appimToken: Crypto & DeFi Wallet
com.kubi.kucoinKuCoin: BTC, Crypto Exchange
io.metamaskMetaMask – Blockchain Wallet
com.okinc.okex.gpOKX: Buy Bitcoin, ETH, Crypto – Send, Shop, Manage
com.plunien.poloniexPoloniex Crypto Exchange
io.safepal.walletSafePal: Crypto Wallet BTC NFT
vip.mytokenpocketTokenPocket Wallet Crypto DeFi
com.tronlinkpro.walletTronLink Pro
com.wallet.crypto.trustappTrust: Crypto & Bitcoin Wallet

The Roamer Banking Trojan verifies the package name of the application that the victim is interacting with. If it matches the targeted application, the malware extracts sensitive data, including crypto wallet details such as account balance, currency type, transaction amount, and recipient information. Additionally, Roamer also steals PINs and passwords from banking applications.

The malware checks the accessibility events to identify the elements of the targeted application. For example, in the case of the Huobi cryptocurrency wallet, the malware checks the component ID “pro.huobi:id/widget_balance_view” to determine the balance.

Figure 9 – Fetching balance from the crypto wallet application

Along with retrieving the account balance, the malware also fetches the transaction details, such as the amount to be sent, the recipient’s wallet address, and the type of currency from the victim’s cryptocurrency wallet application, as shown in the figure below.

Figure 10 – Stealing wallet transaction details.

The malware actively monitors events associated with text fields, and upon detecting the specific field associated with cryptocurrency transactions, it automatically inserts the TA’s cryptocurrency address into the victim’s application. This allows transactions to occur without any user interaction, resulting in funds being transferred directly to the TA’s account.

Figure 11 – Inserting TA’s wallet address

In addition to targeting cryptocurrency wallet applications, Roamer also focuses on banks in India and Vietnam. Figure 13 illustrates the code implemented to extract net banking credentials specifically from HDFC Bank, a prominent national bank in India. The malware scans the elements of the HDFC banking application, including the login button and password or PIN text fields. When it identifies these specific fields, the malware saves the entered password and PIN in the Shared Preference file for unauthorized access later.

Figure 12 – Malware stealing net banking credentials

After stealing credentials from net banking and cryptocurrency wallet applications, Roamer malware stores them in the “config.xml” Shared Preference file. Subsequently, the stolen credentials are transmitted to the command and control (C&C) server hxxp://c58cmin.m8er2s[.]top:8092, as depicted in the figure provided below.

Figure 13 – Sending stolen credentials to the C&C server

In addition to its primary function of stealing credentials from banking and cryptocurrency wallet applications, the Roamer Banking Trojan also receives commands from the C&C server to gather sensitive data from the infected device.

Below is the list of commands:

x0000myviewReceives code to execute different operations
x0000caCaptures photos from a camera
x0000fmCollects files
x0000lmCollects location
x0000smCollects SMSs
x0000viewOpen the Targeted application and collect screenshots
Figure 14 – Malware receiving commands from the C&C server

Upon receiving the command “x0000ca” from the C&C server, the malware proceeds to capture photos using the infected device’s camera.

These captured pictures are then sent to the C&C server, as illustrated in the figure below.

Figure 15 – Capturing photos from the infected device’s camera

The malware collects SMS data and files from the infected device along with location details based on commands received from the server.

Figure 16 – Stealing files from the infected device

Figure 17 – Collecting SMSs from the infected device

Figure 18 – Collecting location details of the victim’s device

When the malware receives the command “x0000view” from the C&C server, it opens the specified targeted application. The package name of the targeted application is received from the server along with the command. Once the application is launched, the malware captures a screenshot of the opened application and sends them to the server. As shown in the below figure, the malware is opening the Google Authenticator application and taking a screenshot. TAs can use the stolen screenshot to obtain a 2FA code for performing a fraudulent transaction.

Figure 19 – Taking a screenshot of the targeted application

The malware executes various operations upon receiving the command “x0000myview” from the C&C server. These operations involve auto-clicking components on the screen, unlocking and locking the device, taking screenshots, starting screen recording, and replacing clipboard data.

The code depicted in the provided figure is employed to initiate screen recording using Media Projection. This action is triggered when the Roamer Banking Trojan receives the command “x0000myview” along with the corresponding code “startMedia”.

Figure 20 – Starts screen recording

When the Roamer Banking Trojan receives the command “x0000myview”, it can execute various operations based on the code as outlined in the table below:

gesUnlockUnlock dispatched gesture
pinUnlockUnlock the device using a PIN
wakeupTrigger wakeup event
slideupPerform slide-up gesture
unlockUnlock device
multiClickPerform multiple clicks event
clickPerform click event
posGet device PIN
touchPerform touch event
pwdUnlockUnlock the device using the password
swapPerform swap gesture
backPerform back gesture
lockLock the device
notifySend notification
captureCapture photo
setpwdSet stolen password in shared preference
showKeybordShows keyboard
hideKeybordHides keyboard
startMediaStarts screen recording
stopMediaStops screen recording
startCaptureStarts capturing photos
stopCaptureStop capturing photos


The Roamer Banking Trojan poses a significant and widespread threat to cryptocurrency wallet applications and banking institutions. The TA responsible for this malicious scheme has utilized deceptive tactics, such as phishing websites and a fraudulent Telegram channel, to distribute the malware and expand their nefarious campaign.

The malware’s ability to target both cryptocurrency wallets and banking institutions amplifies the potential harm inflicted on victims, emphasizing the TA’s unwavering commitment to exploiting stolen information for financial gain. Users must exercise caution and refrain from following suspicious cryptocurrency mining channels on platforms like Telegram, as these channels can lead to substantial financial losses and compromise sensitive personal data.

Maintaining vigilance, implementing robust security measures, and staying informed about emerging cyber threats are essential for users and organizations to effectively mitigate the risks associated with the Roamer Banking Trojan and similar malware attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Means.
Initial AccessT1444Masquerade as a Legitimate Application
CollectionT1512Capture Camera
ImpactT1510Clipboard Modification
DiscoveryT1418Application Discovery
CollectionT1412Capture SMS Messages
CollectionT1533Data from Local System
CollectionT1417Input Capture
CollectionT1430Location Tracking
CollectionT1513Screen Capture

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
d6102c5d1bd275100850b2d662e5168c1a081a0df34848436622bf8af793cc5bSHA256  Hash of Analyzed APK
ff93cdae77172006d1629527ca95da15d33ae69aSHA1  Hash of Analyzed APK
3e3d84e158590b814a278ee689b99f61MD5Hash of Analyzed APK
hxxp://c58cmin.m8er2s[.]top:8092URLC&C server
hxxps://[.]com/CloudMining.apkURL  Distribution URL
909e5a89ca4030d145c6da51646870cc48598b424008b5d03e8d365300df4e2fSHA256  CloudMining.apk
hxxps://cloud-miner[.]cc/CloudMining.apkURL  Distribution URL
hxxps://cloud-miner[.]top/CloudMining.apkURLDistribution URL
dd844ef89c2d9d6b57b21af1488fada00812540d8aed8a2a663f6812cef7ba54SHA256  Mining.apk
hxxps://down.mining-tron[.]vip/mining.apkURL  Distribution URL
e756bd0253ffbaa9d47397428750d7ab16f06f035660c2738103b9ae39adf0c2SHA256  Jardine%20City_336_obf.apk
hxxps://jardinecity.oss-cn-beijing.aliyuncs[.]com/Jardine%20City_336_obf.apkURL  Distribution URL

Comments are closed.

Scroll to Top