Hackers forged a Google Play Store page to launch cryptocurrency mining and wallet hijacking attacks against Brazilian users.

According to Mars Finance, hackers launched an Android malware attack campaign in Brazil using a phishing page that mimics the Google Play Store. All known victims are currently located in Brazil. The attackers created a phishing website highly similar to Google Play, tricking users into downloading a fake app called "INSS Reembolso". Once installed, this app releases hidden malicious code in stages and loads it directly into memory, leaving no visible files on the device, making it highly stealthy. One of the core functions of the malware is cryptocurrency mining, with a built-in XMRig mining program compiled for ARM devices that can silently connect to a mining server controlled by the attacker in the background. This program monitors battery level, temperature, and device usage, dynamically adjusting mining behavior to evade detection, and bypasses Android's background process management mechanism by looping silent audio files. Some variants also include a banking trojan, which can overlay a fake page on the USDT transfer interface of Binance and Trust Wallet, silently replacing the receiving address. In addition, the malware supports multiple remote control commands, including recording, screenshotting, keylogging, and remotely locking the device.