Hackers Use Fake Google Play Pages to Spread Android Malware That Turns Phones Into Secret Crypto Mining Machines

The Quiet Hijack Of Brazilian Smartphones

Imagine your phone suddenly starts running hot or your battery drains before lunch, but no matter how many apps you close, nothing changes.

In Brazil, thousands of users are discovering that their mobile devices have been turned against them.

A sophisticated new phishing campaign is tricking people into downloading what looks like a government-linked social security app, only to have their hardware hijacked for cryptocurrency mining and their digital wallets drained.

The trap begins with a website that is a near-perfect mirror of the Google Play Store.

It offers an application called INSS Reembolso, a name designed to exploit the trust of those looking for social security refunds.

Once a user hits download, the software does not just install; it unfolds.

It uses a multi-stage process to unpack encrypted code directly into the device's memory.

Because the main malicious code never actually lives as a visible file on the phone, traditional security scans often miss it entirely.

How Does The Malware Stay Invisible?

The creators of this scheme are remarkably disciplined.

The malware does not just mine crypto at full speed until the phone dies.

Instead, it acts like a cautious parasite.

It constantly monitors the phone's internal temperature, battery percentage, and how long the app has been installed.

If the phone gets too hot or the battery drops too low, the mining stops to avoid raising suspicion.

To prevent Android’s power-saving features from killing the process, the malware loops a silent audio file in the background.

This trick convinces the operating system that the app is performing a vital task, like playing music, allowing it to keep the processor running for the attackers.

Security researchers at SecureList observed that "there are no visible files on the device, making it hard for users to detect any suspicious activity."

Can This Malware Empty Your Crypto Wallet?

While the background mining generates passive income for hackers, the more immediate threat lies in its banking module.

The software is programmed to wait for the user to open legitimate apps like Binance or Trust Wallet.

When a user attempts a USDT transfer, the malware triggers a screen overlay – a fake interface that sits perfectly on top of the real app.

As the victim types in a recipient's wallet address, the malware intercepts the command and replaces it with the attacker’s address.

To the user, it looks like a standard transaction, but the funds are diverted instantly.

This module also keeps a watchful eye on mobile browsers like Chrome and Brave, capable of logging every keystroke, recording audio through the microphone, and even capturing screenshots of private recovery phrases.

What Is The Role Of BTMOB And Remote Access?

The campaign has recently evolved to include a tool known as BTMOB, a Remote Access Trojan sold on the dark web under a Malware-as-a-Service model.

This means even low-level hackers can rent the technology to launch their own attacks.

BTMOB gives the intruder almost total control over the physical device.

They can turn on the camera, track the phone’s GPS location in real-time, or wipe the entire device to hide their tracks.

Promotion for these tools is surprisingly brazen, with demos appearing on YouTube and customer support handled via Telegram.

While the current wave of infections is concentrated in Brazil and spreading through WhatsApp links, the underlying technology is adaptable.

Recent findings from Google’s Threat Intelligence Group also highlighted a toolkit called Coruna, which targets iOS users, proving that no operating system is entirely immune to these evolving social engineering tactics.