Overview
- Attackers lure victims to websites that mimic Google Play, then use a fake update screen to secure permissions and install sideloaded payloads.
- Recent samples replace the banking module with the BTMOB remote-access trojan, enabling full device control, keylogging, screen and camera capture, GPS tracking, and credential theft.
- The malware deploys a modified ARM build of XMRig to mine Monero, connects to attacker-controlled pools over TLS, and uses Firebase Cloud Messaging to throttle mining based on device status.
- Persistence is maintained by looping a nearly inaudible five‑second MP3 via a foreground service to keep the process alive.
- Kaspersky has observed infections only in Brazil to date and urges users to avoid sideloading, review sensitive permissions, keep devices updated, and note that reports of Play Store availability remain unconfirmed.