Cloud Mining Scams Spread Banking Trojans

Cloud Mining Scams Spread Roamer, the Android banking trojan
Roamer Banking Trojan is implicated in cloud mining scam

It’s no secret that cybercriminals are increasingly using mobile platforms as an attack vector lately. One example is a new Android malware. It spreads through fake cloud mining scams services and targets cryptocurrency wallets and online banking apps. Analysts dubbed this banking trojan as Roamer, though hackers may use different other malware for such attacks.

What are we talking about?

The era of hype around crypto-mining is over, and the shortage of video cards and mining farms is a thing of the past. Today, cloud computing technology is making it possible to significantly lower the entry threshold into the world of crypto-mining. To start mining Bitcoin, for example, there is no need to buy expensive equipment. Instead, the user can rent computing power from cloud mining companies for a fee. Of course, scammers couldn’t stay away from this niche.

The current fraudulent scheme is as follows: attackers create a phishing website that pretends to provide cloud mining services. Unsuspecting users end up on the website, where they are prompted to download a smartphone app. However, instead of the promised app, the user downloads malware that steals crypto wallet data and other valuable information from their device. It sounds too obvious, but this scheme works if it’s being written about.

How the Cloud Mining Scams scheme works

A team of researchers discovered a phishing website with the address hxxps://cloudmining[.]uk[.]com, which looks like a cloud mining platform. The site has “Create Account” and “Sign In” buttons and links to download a mobile app from Google Play and the App Store for Android and iOS devices, respectively. However, attackers use a trick: when clicking on the “Google Play” link, the user is not redirected to the application page in the store, but a direct download of the .apk file named CloudMining.apk takes place. An experienced user might have noticed the unusualness of this behavior. Still, an ordinary user might not pay attention to it. This is precisely the kind of oversight that attackers are counting on. After downloading the file, the victim gets a malicious software module that aims to steal confidential data from the victim’s device.

Website with fake buttons
Visually, it looks like a real button. However, their functionality does not correspond to what is stated

The Roamer Banking Trojan

The “Roamer” Banking Trojan is a malware that extracts sensitive information from infected devices. It targets various crypto wallets and banking applications. It is distributed through fraudulent websites and employs different themes, such as gaming or shopping mall names and icons. Once installed, the malware exploits the Accessibility Service to extract information from targeted applications. The malware targets the following cryptocurrency wallet and banking applications:

HDFC Bank Mobile Banking App
Bitso
OKX: Buy Bitcoin, ETH, Crypto
TokenPocket Wallet Crypto DeFi
TronLink Pro
Binance: BTC, Crypto, and NFTS
Coinbse: Buy Bitcoin & Ether
aelf Official Wallet
Bitpie Wallet
Trust: Crypto & Bitcoin Wallet
MB Bank
SafePal: Crypto Wallet BTC NFT
KuCoin: BTC, Crypto Exchange
Poloniex Crypto Exchange
MetaMask - Blockchain Wallet
SCB Mobile Banking
ACB One
VCB Digibank
PayPal - Send, Shop, Manage
MSB mBank
VietinBank iPay
Coinbase: Buy Bitcoin & Ether
Bybit: Buy Bitcoin, Trade Crypto
Huobi: Buy Crypto & Bitcoin
imToken: Crypto & DeFi Wallet

Roamer Trojan steals sensitive data, including crypto wallet details and banking credentials. It automatically inserts TA's crypto address into the victim's app and transfers funds to TA's account. In addition, it collects SMS data, files, and location details from infected devices. It can open targeted apps, take screenshots, and initiate screen recording. Stolen data is transmitted to a C&C server.

Telegram channel for phishing distribution

Researchers also found an active telegram channel that began its activity on May 15, 2023, and has more than 5 thousand subscribers. Supposedly, scammers use this channel for their purposes and to attract victims. The channel regularly publishes information about cloud mining schemes and distributes phishing websites hxxps://cloud-miner[.]cc and hxxps://cloud-miner[.]top. Although the latter site has a different design, it also involved cloud mining scams. It offers to download the previously mentioned smartphone app.

Telegram post with phishing link
A telegram post that contains a phishing link

Another phishing site

These sites have "Sign in" and "Sign up" buttons to give them a realistic look, but they are not just decorative elements. Clicking on these buttons will redirect the user to another phishing site, hxxps://cloud-mining[.]vip, which offers to create an account and mine Tron (TRX). After registering, the user will be prompted to top up their wallet to start mining, a typical scam scheme. As you may have guessed, it simply hijacks your wallet, since the site intendedly lacks any forms protection.

The site asks to refill the account to start mining
The site asks to refill the account to start mining

Safety tips

The following are tips to help prevent unpleasant experiences with this cyber threat:

  • Only install software from official app stores. This is the Google Play Store for Android and, for iOS, the App Store. While this doesn't guarantee 100% protection against rogue apps, it significantly reduces the chances. Also, if you are an Android user, ensure that Google Play Protect is turned on.
  • Use biometric security features such as fingerprints or facial recognition to unlock your mobile device.
  • Use strong passwords, change them periodically, and use multifactor authentication wherever possible.
  • Update your device firmware and apps to the latest version to fix vulnerabilities and improve security.
  • Be wary of links from unknown senders in SMS, messengers, and emails. Don't click on them, especially if they are suspicious.
  • Never give anyone your banking information or confirmation codes, even if they pretend to be from a bank or other organization.

Cloud Mining Scams Spread Banking Trojans

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *