Hackers Use Fake Google Play Pages to Spread Crypto Mining Malware Across Brazil

TLDR: Hackers are using fake Google Play Store pages in Brazil to distribute malware disguised as legitimate apps. The malware runs XMRig on infected Android devices, silently mining crypto while avoiding battery detection. A banking Trojan targets Binance and Trust Wallet, replacing wallet addresses during live USDT transactions. BTMOB RAT, a malware-as-a-service tool, gives attackers camera, GPS, and credential access on infected phones. Android malware is spreading across Brazil through counterfeit Google Play Store pages, according to a new report by SecureList. Hackers are using phishing websites to distribute apps that appear legitimate. Once installed, these apps silently convert infected phones into crypto mining devices. Some variants also deploy a banking Trojan. The campaign currently targets Brazilian users exclusively, with newer versions spreading through WhatsApp and additional phishing channels. Fake App Turns Phones Into Crypto Mining Machines The campaign starts with a phishing website that closely mimics the Google Play Store. One of the fake apps is called INSS Reembolso, which claims to be tied to Brazil’s social security service. The design copies trusted government branding and the Play Store layout, making the download appear safe to unsuspecting users. After a user installs the fake app, the malware begins unpacking hidden code through multiple stages. It uses encrypted components and loads the main malicious code directly into the phone’s memory. SecureList noted that “there are no visible files on the device, making it hard for users to detect any suspicious activity.” SecureList: Hackers are using fake Google Play pages to spread Android malware in Brazil that turns phones into crypto mining devices (via XMRig) and installs banking Trojans. Some variants target Binance and Trust Wallet, replacing wallet addresses during USDT transfers and… pic.twitter.com/orFCVB86pz — Wu Blockchain (@WuBlockchain) March 22, 2026 The malware also takes ...