Android Malware Targets Indian Banking Users to Steal Financial Info and Mine Crypto

    Tuesday, August 5, 2025 In: Threat Research Print

    Date: 08/05/2025

    Severity: Medium

    Summary

    A new Android malware campaign targets Hindi-speaking users in India by impersonating popular banking apps. Spread via phishing websites, it steals personal and financial data and secretly mines Monero cryptocurrency using XMRig, triggered by Firebase Cloud Messaging. The malware evades detection by posing as legitimate app updates and using real assets from official bank sites.

    Indicators of Compromise (IOC) List

    URL/Domain

    axis.mycardcare.in

    icici.mycardcare.in

    indusind.mycardcare.in

    kotak.mycardcard.in

    www.sbi.mycardcare.in

    mycardcare.in

    http://sbi.mycardcare.in/

    https://icici.mycardcare.in/

    https://sbi.mycardcare.in/

    https://www.sbi.mycardcare.in/
    https://kotak.mycardcard.in

    Hash

    2c1025c92925fec9c500e4bf7b4e9580f9342d44e21a34a44c1bce435353216c

    40bae6f2f736fcf03efdbe6243ff28c524dba602492b0dbb5fd280910a87282d

    59c6a0431d25be7e952fcfb8bd00d3815d8b5341c4b4de54d8288149090dcd74

    80c6435f859468e660a92fc44a2cd80c059c05801dae38b2478c5874429f12a0

    b01185e1fba96209c01f00728f6265414dfca58c92a66c3b4065a344f72768ce

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "indusind.mycardcare.in" or siteurl like "indusind.mycardcare.in" or url like "indusind.mycardcare.in" or domainname like "https://www.sbi.mycardcare.in/" or siteurl like "https://www.sbi.mycardcare.in/" or url like "https://www.sbi.mycardcare.in/" or domainname like "http://sbi.mycardcare.in/" or siteurl like "http://sbi.mycardcare.in/" or url like "http://sbi.mycardcare.in/" or domainname like "https://sbi.mycardcare.in/" or siteurl like "https://sbi.mycardcare.in/" or url like "https://sbi.mycardcare.in/" or domainname like "axis.mycardcare.in" or siteurl like "axis.mycardcare.in" or url like "axis.mycardcare.in" or domainname like "icici.mycardcare.in" or siteurl like "icici.mycardcare.in" or url like "icici.mycardcare.in" or domainname like "https://icici.mycardcare.in/" or siteurl like "https://icici.mycardcare.in/" or url like "https://icici.mycardcare.in/" or domainname like "kotak.mycardcard.in" or siteurl like "kotak.mycardcard.in" or url like "kotak.mycardcard.in" or domainname like "www.sbi.mycardcare.in" or siteurl like "www.sbi.mycardcare.in" or url like "www.sbi.mycardcare.in" or domainname like "mycardcare.in" or siteurl like "mycardcare.in" or url like "mycardcare.in" or domainname like "https://kotak.mycardcard.in" or siteurl like "https://kotak.mycardcard.in" or url like "https://kotak.mycardcard.in"

    Detection Query 2 : 

    sha256hash IN ("59c6a0431d25be7e952fcfb8bd00d3815d8b5341c4b4de54d8288149090dcd74","80c6435f859468e660a92fc44a2cd80c059c05801dae38b2478c5874429f12a0","2c1025c92925fec9c500e4bf7b4e9580f9342d44e21a34a44c1bce435353216c","40bae6f2f736fcf03efdbe6243ff28c524dba602492b0dbb5fd280910a87282d","b01185e1fba96209c01f00728f6265414dfca58c92a66c3b4065a344f72768ce")

    Reference:    

    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto/


    Tags

    MalwareAndroid MalwarePhishingFinancial ServicescryptocurrencyMonero

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.