{"id":216651,"date":"2025-08-04T05:24:34","date_gmt":"2025-08-04T12:24:34","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=216651"},"modified":"2025-08-04T13:07:21","modified_gmt":"2025-08-04T20:07:21","slug":"android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/","title":{"rendered":"Android Malware Targets Indian Banking Users to Steal Financial Info and Mine Crypto"},"content":{"rendered":"

Authored by Dexter Shin<\/p>\n

McAfee\u2019s Mobile Research Team discovered a new Android malware campaign targeting Hindi-speaking users, mainly in India. The malware impersonates popular Indian financial apps, including SBI Card, Axis Bank, and IndusInd Bank, and is distributed through phishing websites that are continuously being created. What makes this campaign unique is its dual-purpose design: it steals personal and financial information while also silently mining Monero cryptocurrency using XMRig<\/a>, which is triggered via Firebase Cloud Messaging (FCM). It also abuses user trust by pretending to be a legitimate app update from Google Play.<\/p>\n

McAfee, as part of the App Defense Alliance committed to protecting users and the app ecosystem, reported the identified malicious apps to Google. As a result, Google blocked the associated FCM account to prevent further abuse. Also, McAfee Mobile Security detects all of these apps as High-Risk threats. For more information, visit McAfee’s Mobile Security page<\/a>.<\/p>\n

This campaign targets Indian users by impersonating legitimate financial services to lure victims into installing a malicious app. This is not the first malware campaign targeting Indian users. In the past, McAfee has reported other threats<\/a>. In this case, the attackers take it a step further by using real assets from official banking websites to build convincing phishing pages that host the malware payload. The app delivered through these phishing sites functions as a dropper, meaning it initially appears harmless but later dynamically loads and executes the actual malicious payload. This technique helps evade static detection and complicates analysis.<\/p>\n

Apart from delivering a malicious payload, the malware also mines cryptocurrency on infected mobile devices. When the malware receives specific commands via FCM, it silently initiates a background mining process for Monero (XMR). Monero is a privacy-focused cryptocurrency that hides transaction addresses, sender and receiver identities, and transaction amounts. Because of these privacy features, cybercriminals often use it to stay hidden and move illegal money without getting caught. Its mining algorithm, RandomX, is optimized for general-purpose CPUs, making it possible to mine Monero efficiently even on mobile devices.<\/p>\n

Technical Findings<\/h2>\n

Distribution Methods<\/h3>\n

The malware is distributed through phishing websites that impersonate Indian financial services. These sites are designed to closely resemble official banking sites and trick users into downloading a fake Android app. Here are some phishing sites we found during our investigation.<\/p>\n

\"\"<\/p>\n

Figure 1<\/strong>. Screenshot of a phishing website<\/p>\n

 <\/p>\n

These phishing pages load images, JavaScript, and other web resources directly from the official websites to appear legitimate. However, they include additional elements such as \u201cGet App\u201d or \u201cDownload\u201d buttons, which prompt users to install the malicious APK file.<\/p>\n

Dropper Analysis<\/h2>\n

When the app is launched, the first screen the user sees looks like a Google Play Store page. It tells the user that they need to update the app.<\/p>\n

\"\"<\/p>\n

Figure 2.<\/strong> The initial screen shown by the dropper app<\/p>\n

The app includes an encrypted DEX file stored in the assets folder. This file is not the actual malicious payload, but a loader component. When the app runs, it decrypts this file using XOR key and dynamically loads it into memory. The loaded DEX file contains custom code, including a method responsible for loading additional payloads.<\/p>\n

\"\"<\/p>\n

Figure 3<\/strong>. First-stage encrypted loader DEX and XOR key<\/p>\n

Once the first-stage DEX is loaded, the loader method inside it decrypts and loads a second encrypted file, which is also stored in the assets. This second file contains the final malicious payload. By splitting the loading process into two stages, the malware avoids exposing any clearly malicious code in the main APK and makes static analysis more difficult.<\/p>\n

\"\"<\/p>\n

Figure 4.<\/strong> Second-stage malicious payload loaded by Loader class<\/p>\n

Once this payload is loaded, the app displays a fake financial interface that looks like a real app. It prompts the user to input sensitive details such as their name, card number, CVV, and expiration date. The collected information is then sent to the attacker\u2019s command-and-control (C2) server. After submission, the app shows a fake card management page with messages like \u201cYou will receive email confirmation within 48 hours,\u201d giving the false impression that the process is ongoing. All features on the page are fake and do not perform any real function.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

Figure 5.<\/strong> Fake card verification screen<\/p>\n

Monero Mining Process<\/h2>\n

As mentioned earlier, one of this campaign’s key features is its hidden cryptomining functionality. The app includes a service that listens for specific FCM messages, which trigger for start of the mining process.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

Figure 6.<\/strong> Firebase messaging service is declared in the manifest.<\/p>\n

 <\/p>\n

In the second-stage dynamically loaded code, there is a routine that attempts to download a binary file from external sources. The malware contains 3 hardcoded URLs and tries to download the binary from all of them.<\/p>\n

\"\"<\/p>\n

Figure 7.<\/strong> Hardcoded URLs used by the malware to download a binary file<\/p>\n

 <\/p>\n

The downloaded binary is encrypted and has a .so extension, which usually indicates a native library. However, instead of loading it normally, the malware uses ProcessBuilder, a Java class for running external processes, to directly execute the file like a standalone binary.<\/p>\n

\"\"<\/p>\n

Figure 8.<\/strong> Executing downloaded binary using ProcessBuilder<\/p>\n

What\u2019s particularly interesting is the way the binary is executed. The malware passes a set of arguments to the process that exactly match the command-line options used by XMRig, an open-source mining tool. These include specifying the mining pool server and setting the target coin to Monero.<\/p>\n

\"\"<\/p>\n

Figure 9.<\/strong> XMRig-compatible arguments passed to the mining process<\/p>\n

 <\/p>\n

When the decrypted binary is executed, it displays log messages identical to those produced by XMRig. In summary, this malware is designed to mine Monero in the background on infected devices when it receives specific FCM messages.<\/p>\n

\"\"<\/p>\n

Figure 10.<\/strong> Decrypted binary showing XMRig log messages<\/p>\n

Recommendations and Conclusion<\/h2>\n

 <\/p>\n

\"\"<\/p>\n

Figure 11.<\/strong> Geographic distribution of infected devices<\/p>\n

Telemetry shows that most infections are concentrated in India, which aligns with the campaign\u2019s use of Hindi language and impersonation of Indian financial apps. A small number of detections were also observed in other regions, but these appear to be limited.<\/p>\n

What makes this campaign notable is its dual-purpose design, combining financial data theft with background cryptomining, triggered remotely via Firebase Cloud Messaging (FCM). This technique allows the malware to remain dormant and undetected until it receives a specific command, making it harder for users and defenders to detect.<\/p>\n

To stay protected, users are strongly advised to download apps only from trusted sources such as Google Play, and to avoid clicking on links received through SMS, WhatsApp, or social media\u2014especially those promoting financial services. It is also important to be cautious when entering personal or banking information into unfamiliar apps. In addition, using a reliable mobile security solution that can detect malicious apps and block phishing websites can provide an added layer of protection against threats like this.<\/p>\n

Indicators of Compromise (IOCs)<\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Type<\/span>\u00a0<\/span><\/td>\nValue<\/span>\u00a0<\/span><\/td>\nDescription<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
APK<\/span>\u00a0<\/span><\/td>\n2c1025c92925fec9c500e4bf7b4e9580f9342d44e21a34a44c1bce435353216c<\/span>\u00a0<\/span><\/td>\nSBI Credit Card<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
APK<\/span>\u00a0<\/span><\/td>\nb01185e1fba96209c01f00728f6265414dfca58c92a66c3b4065a344f72768ce<\/span>\u00a0<\/span><\/td>\nICICI Credit Card<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
APK<\/span>\u00a0<\/span><\/td>\n80c6435f859468e660a92fc44a2cd80c059c05801dae38b2478c5874429f12a0<\/span>\u00a0<\/span><\/td>\nAxis Credit Card<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
APK<\/span>\u00a0<\/span><\/td>\n59c6a0431d25be7e952fcfb8bd00d3815d8b5341c4b4de54d8288149090dcd74<\/span>\u00a0<\/span><\/td>\nIndusInd Credit Card<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
APK<\/span>\u00a0<\/span><\/td>\n40bae6f2f736fcf03efdbe6243ff28c524dba602492b0dbb5fd280910a87282d<\/span>\u00a0<\/span><\/td>\nKotak Credit Card<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
URL<\/span>\u00a0<\/span><\/td>\nhttps[:\/\/]www.sbi.mycardcare.in<\/span>\u00a0<\/span><\/td>\nPhishing Site<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
URL<\/span>\u00a0<\/span><\/td>\nhttps[:\/\/]kotak.mycardcard.in<\/span>\u00a0<\/span><\/td>\nPhishing Site<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
URL<\/span>\u00a0<\/span><\/td>\nhttps[:\/\/]axis.mycardcare.in<\/span>\u00a0<\/span><\/td>\nPhishing Site<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
URL<\/span>\u00a0<\/span><\/td>\nhttps[:\/\/]indusind.mycardcare.in<\/span>\u00a0<\/span><\/td>\nPhishing Site<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
URL<\/span>\u00a0<\/span><\/td>\nhttps[:\/\/]icici.mycardcare.in<\/span>\u00a0<\/span><\/td>\nPhishing Site<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Firebase<\/span>\u00a0<\/span><\/td>\n469967176169<\/span>\u00a0<\/span><\/td>\nFCM Account<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\u00a0<\/span><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Authored by Dexter Shin McAfee\u2019s Mobile Research Team discovered a new Android malware campaign targeting Hindi-speaking users, mainly in India….<\/p>\n","protected":false},"author":695,"featured_media":217153,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-216651","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nAndroid Malware Targets Indian Banking Users to Steal Financial Info and Mine Crypto | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by Dexter Shin McAfee\u2019s Mobile Research Team discovered a new Android malware campaign targeting Hindi-speaking users, mainly in India. The\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Android Malware Targets Indian Banking Users to Steal Financial Info and Mine Crypto | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by Dexter Shin McAfee\u2019s Mobile Research Team discovered a new Android malware campaign targeting Hindi-speaking users, mainly in India. The\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-04T12:24:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-04T20:07:21+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/08\/shutterstock_2388818593.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"667\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Android Malware Targets Indian Banking Users to Steal Financial Info and Mine Crypto\",\"datePublished\":\"2025-08-04T12:24:34+00:00\",\"dateModified\":\"2025-08-04T20:07:21+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/\"},\"wordCount\":1275,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/08\/shutterstock_2388818593.jpg\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/\",\"name\":\"Android Malware Targets Indian Banking Users to Steal Financial Info and Mine Crypto | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/08\/shutterstock_2388818593.jpg\",\"datePublished\":\"2025-08-04T12:24:34+00:00\",\"dateModified\":\"2025-08-04T20:07:21+00:00\",\"description\":\"Authored by Dexter Shin McAfee\u2019s Mobile Research Team discovered a new Android malware campaign targeting Hindi-speaking users, mainly in India. The\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/08\/shutterstock_2388818593.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/08\/shutterstock_2388818593.jpg\",\"width\":1000,\"height\":667},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Android Malware Targets Indian Banking Users to Steal Financial Info and Mine Crypto\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Android Malware Targets Indian Banking Users to Steal Financial Info and Mine Crypto | McAfee Blog","description":"Authored by Dexter Shin McAfee\u2019s Mobile Research Team discovered a new Android malware campaign targeting Hindi-speaking users, mainly in India. The","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Android Malware Targets Indian Banking Users to Steal Financial Info and Mine Crypto | McAfee Blog","og_description":"Authored by Dexter Shin McAfee\u2019s Mobile Research Team discovered a new Android malware campaign targeting Hindi-speaking users, mainly in India. The","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2025-08-04T12:24:34+00:00","article_modified_time":"2025-08-04T20:07:21+00:00","og_image":[{"width":1000,"height":667,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/08\/shutterstock_2388818593.jpg","type":"image\/jpeg"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Android Malware Targets Indian Banking Users to Steal Financial Info and Mine Crypto","datePublished":"2025-08-04T12:24:34+00:00","dateModified":"2025-08-04T20:07:21+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/"},"wordCount":1275,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/08\/shutterstock_2388818593.jpg","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/","name":"Android Malware Targets Indian Banking Users to Steal Financial Info and Mine Crypto | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/08\/shutterstock_2388818593.jpg","datePublished":"2025-08-04T12:24:34+00:00","dateModified":"2025-08-04T20:07:21+00:00","description":"Authored by Dexter Shin McAfee\u2019s Mobile Research Team discovered a new Android malware campaign targeting Hindi-speaking users, mainly in India. The","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/08\/shutterstock_2388818593.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/08\/shutterstock_2388818593.jpg","width":1000,"height":667},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-targets-indian-banking-users-to-steal-financial-info-and-mine-crypto\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Android Malware Targets Indian Banking Users to Steal Financial Info and Mine Crypto"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/216651","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=216651"}],"version-history":[{"count":11,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/216651\/revisions"}],"predecessor-version":[{"id":217187,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/216651\/revisions\/217187"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/217153"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=216651"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=216651"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=216651"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=216651"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}