{"id":7246,"date":"2025-07-21T17:45:14","date_gmt":"2025-07-21T12:15:14","guid":{"rendered":"https:\/\/quickheal.co.in\/knowledge-centre\/?p=7246"},"modified":"2025-07-21T17:53:45","modified_gmt":"2025-07-21T12:23:45","slug":"android-cryptojacker-disguised-as-banking-app-exploits-device-lock-state","status":"publish","type":"post","link":"https:\/\/www.quickheal.co.in\/knowledge-centre\/android-cryptojacker-disguised-as-banking-app-exploits-device-lock-state\/","title":{"rendered":"Android Cryptojacker Disguised as Banking App Exploits Device Lock State"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"7246\" class=\"elementor elementor-7246\">\n\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7a45f81a e-flex e-con-boxed e-con e-parent\" data-id=\"7a45f81a\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-50128ed7 elementor-widget elementor-widget-text-editor\" data-id=\"50128ed7\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.16.0 - 17-10-2023 *\/\n.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#69727d;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#69727d;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}<\/style>\t\t\t\t<!-- wp:paragraph -->\n<p>The global craze around cryptocurrency has fueled both innovation and exploitation. While many legally chase digital gold, cybercriminals hijack devices to mine it covertly. Recently, we came across a phishing website impersonating a well-known bank, hosting a fake Android app. While the app does not function like a real banking application, it used the bank\u2019s name and icon to mislead users. Behind the scenes, it silently performs cryptocurrency mining, abusing user devices for illicit gain.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>Cryptocurrency mining (or crypto mining) uses computing power to validate and record transactions on a blockchain network. In return, miners are rewarded with new cryptocurrency coins.<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>This process involves solving complex mathematical puzzles that require significant CPU or GPU resources. While large-scale miners often use powerful rigs equipped with high-end GPUs or ASICs for maximum efficiency, individuals can also legitimately mine cryptocurrencies using personal devices like PCs or smartphones.\u00a0<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>Because of Google Play Store policies related to cryptocurrency mining, even legitimate apps that perform on-device mining are not allowed to be published on the Play Store. As a result, users often install such mining applications from third-party sources or unofficial app stores, which increases the risk of encountering malicious or compromised apps disguised as legitimate ones.\u00a0\u00a0<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>Threat actors take advantage of this situation by spreading fake apps on third-party stores and websites. These malicious apps have cryptocurrency mining code embedded within them, allowing attackers to secretly use victims\u2019 devices to mine cryptocurrency for their own benefit.\u00a0<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>Here, we refer to legitimate cryptocurrency mining apps that disclose mining activities, obtain user consent, and ensure that the mining profits go directly to the user. In contrast, <strong>cryptocurrency mining malware<\/strong>, also known as <strong>cryptojackers<\/strong>, secretly mines without permission, hijacking device resources so that the attacker gains all the profits.\u00a0<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p>What Are the Effects of Mining Malware (cryptojackers) Installed on an Android Device?\u00a0<\/p>\n<!-- \/wp:paragraph -->\n\n<!-- wp:list -->\n<ul class=\"wp-block-list\"><!-- wp:list-item -->\n<li>Battery Drain: The mining process involves constant, intensive CPU usage, which leads to rapid battery depletion.\u00a0<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Overheating: Continuous computations generate excessive heat, significantly increasing the device\u2019s temperature.\u00a0<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Potential Hardware Damage: Prolonged overheating and stress may cause irreversible damage to internal components like the battery, CPU, or motherboard.\u00a0<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>High Data Usage:<strong> <\/strong>Cryptocurrency mining applications communicate frequently with mining pools, leading to unexpected data usage.<\/li>\n<!-- \/wp:list-item -->\n\n<!-- wp:list-item -->\n<li>Performance Lag: The app consumes processing power, making the device slow, laggy, or unresponsive.\u00a0<\/li>\n<!-- \/wp:list-item --><\/ul>\n<!-- \/wp:list -->\n\n<!-- wp:paragraph -->\n<p>In recent case, the phishing site(getxapp[.]in) impersonates Axis Bank and hosts a fake application called <strong>\u201c<\/strong>Axis Card.<strong>\u201d<\/strong> The malware author has embedded XMRig to perform cryptocurrency mining in the background. XMRig is an open-source cryptocurrency mining software designed to mine Monero and other coins.\u00a0<\/p>\n<!-- \/wp:paragraph -->\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-1a978c9 e-flex e-con-boxed e-con e-parent\" data-id=\"1a978c9\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8924559 elementor-widget elementor-widget-image\" data-id=\"8924559\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.16.0 - 17-10-2023 *\/\n.elementor-widget-image{text-align:center}.elementor-widget-image a{display:inline-block}.elementor-widget-image a img[src$=\".svg\"]{width:48px}.elementor-widget-image img{vertical-align:middle;display:inline-block}<\/style>\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"374\" height=\"390\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/phishing-site-1-374x390.jpg\" class=\"attachment-large size-large wp-image-7269\" alt=\"\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/phishing-site-1-374x390.jpg 374w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/phishing-site-1-287x300.jpg 287w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/phishing-site-1-24x24.jpg 24w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/phishing-site-1.jpg 432w\" sizes=\"(max-width: 374px) 100vw, 374px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b84d193 e-flex e-con-boxed e-con e-parent\" data-id=\"b84d193\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b219e90 elementor-widget elementor-widget-text-editor\" data-id=\"b219e90\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"NormalTextRun SCXW253418201 BCX0\">Figure 2 illustrates the attack flow of this campaign. The user initially downloads the malware-laced application either from a phishing site or through social media platforms like WhatsApp. <\/span><span class=\"NormalTextRun SCXW253418201 BCX0\">Upon execution, the app displays a fake update screen but provides no actual functionality, causing the user to ignore it.<\/span><\/p>\n<p><span class=\"TextRun SCXW246033188 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW246033188 BCX0\">In the background, however, the malware begins <\/span><span class=\"NormalTextRun SCXW246033188 BCX0\">monitoring<\/span><span class=\"NormalTextRun SCXW246033188 BCX0\"> the device\u2019s status, particularly the battery level and screen lock state. Once the device is locked, the malicious app silently downloads an encrypted .so payload, decrypts it, and initiates <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW246033188 BCX0\">cryptomining<\/span><span class=\"NormalTextRun SCXW246033188 BCX0\"> activity.<\/span><\/span><span class=\"EOP SCXW246033188 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span class=\"TextRun SCXW20732212 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW20732212 BCX0\">If the user unlocks the device, the mining process <\/span><span class=\"NormalTextRun SCXW20732212 BCX0\">immediately<\/span><span class=\"NormalTextRun SCXW20732212 BCX0\"> halts, and the malware returns to the monitoring phase\u2014waiting for the next lock event. This lock\u2013unlock loop allows the miner to <\/span><span class=\"NormalTextRun SCXW20732212 BCX0\">operate<\/span><span class=\"NormalTextRun SCXW20732212 BCX0\"> stealthily and persistently. Over time, this prolonged background mining can lead to excessive heat, battery drain, and permanent hardware damage to the device.<\/span><\/span><span class=\"EOP SCXW20732212 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-1149706 e-flex e-con-boxed e-con e-parent\" data-id=\"1149706\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-09920a1 elementor-widget elementor-widget-image\" data-id=\"09920a1\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"553\" height=\"390\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/attack-flow-of-this-malware-application-1-553x390.jpg\" class=\"attachment-large size-large wp-image-7270\" alt=\"Attack flow of this malware application\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/attack-flow-of-this-malware-application-1-553x390.jpg 553w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/attack-flow-of-this-malware-application-1-300x212.jpg 300w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/attack-flow-of-this-malware-application-1.jpg 656w\" sizes=\"(max-width: 553px) 100vw, 553px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-77c6513 e-flex e-con-boxed e-con e-parent\" data-id=\"77c6513\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f95003b elementor-widget elementor-widget-text-editor\" data-id=\"f95003b\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h2><span class=\"TextRun SCXW108088598 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW108088598 BCX0\" data-ccp-parastyle=\"heading 3\">Technical analysis:<\/span><\/span><span class=\"EOP SCXW108088598 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;201341983&quot;:0,&quot;335557856&quot;:16777215,&quot;335559738&quot;:0,&quot;335559739&quot;:225,&quot;335559740&quot;:420}\">\u00a0<\/span><\/h2>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-7ba9dbb e-flex e-con-boxed e-con e-parent\" data-id=\"7ba9dbb\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6c00272 elementor-widget elementor-widget-text-editor\" data-id=\"6c00272\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW259667788 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW259667788 BCX0\">Figure 3 shows details of the malware application hosted on th<\/span><span class=\"NormalTextRun SCXW259667788 BCX0\">is<\/span> <span class=\"NormalTextRun SCXW259667788 BCX0\">fake<\/span><span class=\"NormalTextRun SCXW259667788 BCX0\"> website.<\/span><\/span><span class=\"EOP SCXW259667788 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-2bbfde7 e-flex e-con-boxed e-con e-parent\" data-id=\"2bbfde7\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4acf190 elementor-widget elementor-widget-image\" data-id=\"4acf190\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"486\" height=\"184\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/file-information.jpg\" class=\"attachment-large size-large wp-image-7250\" alt=\"File information\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/file-information.jpg 486w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/file-information-300x114.jpg 300w\" sizes=\"(max-width: 486px) 100vw, 486px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f55242d e-flex e-con-boxed e-con e-parent\" data-id=\"f55242d\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6ce77dc elementor-widget elementor-widget-text-editor\" data-id=\"6ce77dc\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"NormalTextRun SCXW84994406 BCX0\">Figure 4 highlights the permissions declared by the application in its manifest file. <\/span><span class=\"NormalTextRun SCXW84994406 BCX0\">Generally, Android<\/span><span class=\"NormalTextRun SCXW84994406 BCX0\"> mining applications require only the <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW84994406 BCX0\">android.permission.INTERNET<\/span><span class=\"NormalTextRun SCXW84994406 BCX0\"> permission, as it allows them to connect to remote mining servers and carry out operations over the network. This permission is no longer classified as dangerous and is automatically granted by the Android system without requiring explicit user consent.<\/span><\/p>\n<p><span class=\"TextRun SCXW176776551 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW176776551 BCX0\">Many miner apps also request the WAKE_LOCK permission to prevent the device from sleeping, ensuring uninterrupted mining activity even when the screen is off. Additionally, miners often use the <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW176776551 BCX0\">android.intent.action.BOOT_COMPLETED<\/span><span class=\"NormalTextRun SCXW176776551 BCX0\"> broadcast to automatically restart after a device reboot, thereby <\/span><span class=\"NormalTextRun SCXW176776551 BCX0\">maintaining<\/span><span class=\"NormalTextRun SCXW176776551 BCX0\"> persistence.<\/span><\/span><span class=\"EOP SCXW176776551 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span class=\"TextRun SCXW214037810 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW214037810 BCX0\">In this case, the application requests <\/span><span class=\"NormalTextRun SCXW214037810 BCX0\">Internet<\/span><span class=\"NormalTextRun SCXW214037810 BCX0\"> permission along with a few other suspicious permissions.<\/span><\/span><span class=\"EOP SCXW214037810 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-536297d e-flex e-con-boxed e-con e-parent\" data-id=\"536297d\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-84d724d elementor-widget elementor-widget-image\" data-id=\"84d724d\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"570\" height=\"269\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/permissions-declared-by-malware.jpg\" class=\"attachment-large size-large wp-image-7251\" alt=\"Permissions declared by Malware in its Androidmanifest file\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/permissions-declared-by-malware.jpg 570w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/permissions-declared-by-malware-300x142.jpg 300w\" sizes=\"(max-width: 570px) 100vw, 570px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f292412 e-flex e-con-boxed e-con e-parent\" data-id=\"f292412\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-32b2b91 elementor-widget elementor-widget-text-editor\" data-id=\"32b2b91\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h2><span class=\"TextRun SCXW142822692 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW142822692 BCX0\">Malware execution<\/span><\/span><\/h2>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d0d62e2 e-flex e-con-boxed e-con e-parent\" data-id=\"d0d62e2\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d52a746 elementor-widget elementor-widget-text-editor\" data-id=\"d52a746\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"NormalTextRun SCXW108831764 BCX0\">The app begins by asking for permission to run in the background, which is commonly abused in mining operations to stay active without user interaction. It then displays a fake update screen claiming new features have been added, with a prominent UPDATE button. Clicking the button shows an Install prompt, but instead of installing anything, it ends with a message saying the installer has expired. Interestingly, the app declares the REQUEST_INSTALL_PACKAGES permission, suggesting it intends to install another APK. However, no actual installation occurs, <\/span><span class=\"NormalTextRun SCXW108831764 BCX0\">indicating<\/span><span class=\"NormalTextRun SCXW108831764 BCX0\"> the entire update flow is <\/span><span class=\"NormalTextRun SCXW108831764 BCX0\">likely staged<\/span><span class=\"NormalTextRun SCXW108831764 BCX0\"> for deception or redirection.<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-0ba782d e-flex e-con-boxed e-con e-parent\" data-id=\"0ba782d\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e1eb756 elementor-widget elementor-widget-image\" data-id=\"e1eb756\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"353\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/application-execution-flow-650x359.jpg\" class=\"attachment-large size-large wp-image-7252\" alt=\"Application execution flow\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/application-execution-flow-650x359.jpg 650w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/application-execution-flow-300x166.jpg 300w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/application-execution-flow.jpg 655w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-89a852b e-flex e-con-boxed e-con e-parent\" data-id=\"89a852b\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e5ab4c7 elementor-widget elementor-widget-text-editor\" data-id=\"e5ab4c7\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW98115895 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW98115895 BCX0\">In the background, the malware repeatedly <\/span><span class=\"NormalTextRun SCXW98115895 BCX0\">attempts<\/span><span class=\"NormalTextRun SCXW98115895 BCX0\"> to download a malicious binary from one of several hardcoded URLs. These URLs point to platforms such as GitHub, Cloudflare Pages, and a custom domain (<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW98115895 BCX0\">uasecurity<\/span><span class=\"NormalTextRun SCXW98115895 BCX0\">[.]org), all of which are used to host the miner payload. Figure <\/span><span class=\"NormalTextRun SCXW98115895 BCX0\">6<\/span><\/span> <span class=\"TextRun SCXW98115895 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW98115895 BCX0\">illustrates this behavior.<\/span><\/span><span class=\"EOP SCXW98115895 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-cfcd9b4 e-flex e-con-boxed e-con e-parent\" data-id=\"cfcd9b4\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3b18c54 elementor-widget elementor-widget-image\" data-id=\"3b18c54\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"284\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/code-used-to-download-payload-binary.jpg\" class=\"attachment-large size-large wp-image-7253\" alt=\"\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/code-used-to-download-payload-binary.jpg 643w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/code-used-to-download-payload-binary-300x133.jpg 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e01d0c7 e-flex e-con-boxed e-con e-parent\" data-id=\"e01d0c7\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3a2a3f6 elementor-widget elementor-widget-text-editor\" data-id=\"3a2a3f6\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW165240908 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW165240908 BCX0\">Figure<\/span><span class=\"NormalTextRun SCXW165240908 BCX0\"> 7<\/span><span class=\"NormalTextRun SCXW165240908 BCX0\"> shows a s<\/span><span class=\"NormalTextRun SCXW165240908 BCX0\">creenshot of the GitHub repository <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW165240908 BCX0\">hxxps<\/span><span class=\"NormalTextRun SCXW165240908 BCX0\">[:]\/\/<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW165240908 BCX0\">github<\/span><span class=\"NormalTextRun SCXW165240908 BCX0\">[.]com\/backend-<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW165240908 BCX0\">url<\/span><span class=\"NormalTextRun SCXW165240908 BCX0\">-provider\/access, which is used to host the miner payloads libmine-arm32.so and libmine-arm64.so. Both files are encrypted to evade static detection and hinder analysis.<\/span><\/span><span class=\"EOP SCXW165240908 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-2cce89e e-flex e-con-boxed e-con e-parent\" data-id=\"2cce89e\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8978a73 elementor-widget elementor-widget-image\" data-id=\"8978a73\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"616\" height=\"366\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/screenshot-of-the-github-page.jpg\" class=\"attachment-large size-large wp-image-7254\" alt=\"Screenshot of the GitHub page hosting the payload binary\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/screenshot-of-the-github-page.jpg 616w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/screenshot-of-the-github-page-300x178.jpg 300w\" sizes=\"(max-width: 616px) 100vw, 616px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f2fd8e6 e-flex e-con-boxed e-con e-parent\" data-id=\"f2fd8e6\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-bd3c0cf elementor-widget elementor-widget-text-editor\" data-id=\"bd3c0cf\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW7594806 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW7594806 BCX0\">The malware first decrypts the downloaded binary using an AES algorithm (Figure <\/span><span class=\"NormalTextRun SCXW7594806 BCX0\">8<\/span><span class=\"NormalTextRun SCXW7594806 BCX0\">). In the next step (<\/span><span class=\"NormalTextRun SCXW7594806 BCX0\">Figure <\/span><span class=\"NormalTextRun SCXW7594806 BCX0\">9<\/span><span class=\"NormalTextRun SCXW7594806 BCX0\">), the decrypted binary is written to a file named d-miner within the app&#8217;s private storage. Once written, the file is marked as executable<\/span><span class=\"NormalTextRun SCXW7594806 BCX0\">.<\/span><\/span><span class=\"EOP SCXW7594806 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-56bac63 e-flex e-con-boxed e-con e-parent\" data-id=\"56bac63\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3012a29 elementor-widget elementor-widget-image\" data-id=\"3012a29\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"259\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/payload-decryption-code-650x263.jpg\" class=\"attachment-large size-large wp-image-7255\" alt=\"\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/payload-decryption-code-650x263.jpg 650w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/payload-decryption-code-300x121.jpg 300w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/payload-decryption-code.jpg 652w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-57375fb e-flex e-con-boxed e-con e-parent\" data-id=\"57375fb\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6127d3d elementor-widget elementor-widget-image\" data-id=\"6127d3d\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"113\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/decrypted-code-saved-as-d-miner-file.jpg\" class=\"attachment-large size-large wp-image-7256\" alt=\"\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/decrypted-code-saved-as-d-miner-file.jpg 649w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/decrypted-code-saved-as-d-miner-file-300x53.jpg 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-2432f41 e-flex e-con-boxed e-con e-parent\" data-id=\"2432f41\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9a36b1e elementor-widget elementor-widget-text-editor\" data-id=\"9a36b1e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW180796269 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW180796269 BCX0\">To retrieve the encrypted payload, a custom Java-based decryption method was used. Figure 10 confirms that the resulting <\/span><\/span><span class=\"TextRun SCXW180796269 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW180796269 BCX0\">.so<\/span><\/span><span class=\"TextRun SCXW180796269 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW180796269 BCX0\"> file is based on or directly derived from <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW180796269 BCX0\">XMRig\u2019s<\/span><span class=\"NormalTextRun SCXW180796269 BCX0\"> Android build. The extracted strings reference internal configuration paths, usage instructions, version details, <\/span><span class=\"NormalTextRun SCXW180796269 BCX0\">and mining-related URLs. These artifacts clearly <\/span><span class=\"NormalTextRun SCXW180796269 BCX0\">validate<\/span><span class=\"NormalTextRun SCXW180796269 BCX0\"> that the primary purpose of this native library is CPU-based <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW180796269 BCX0\">cryptomining<\/span><span class=\"NormalTextRun SCXW180796269 BCX0\">.<\/span><\/span><span class=\"EOP SCXW180796269 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-54b5b5d e-flex e-con-boxed e-con e-parent\" data-id=\"54b5b5d\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-047c9b9 elementor-widget elementor-widget-image\" data-id=\"047c9b9\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"628\" height=\"374\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/strings-view-from.jpg\" class=\"attachment-large size-large wp-image-7257\" alt=\"\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/strings-view-from.jpg 628w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/strings-view-from-300x179.jpg 300w\" sizes=\"(max-width: 628px) 100vw, 628px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d0b8df4 e-flex e-con-boxed e-con e-parent\" data-id=\"d0b8df4\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8f8cdc2 elementor-widget elementor-widget-text-editor\" data-id=\"8f8cdc2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW15963269 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW15963269 BCX0\">Figure 11 illustrates the method NMuU8KNchX5bP8<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW15963269 BCX0\">Oy(<\/span><span class=\"NormalTextRun SCXW15963269 BCX0\">), which constructs the command-line arguments required by the <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW15963269 BCX0\">XMRig<\/span><span class=\"NormalTextRun SCXW15963269 BCX0\"> miner for execution. It <\/span><span class=\"NormalTextRun SCXW15963269 BCX0\">attempts<\/span><span class=\"NormalTextRun SCXW15963269 BCX0\"> to connect directly to the Monero mining pool at pool.uasecurity.org:9000, or alternatively to a proxy pool at pool-proxy.uasecurity.org:9000, depending on availability.<\/span><\/span><span class=\"EOP SCXW15963269 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-7125aa5 e-flex e-con-boxed e-con e-parent\" data-id=\"7125aa5\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c385787 elementor-widget elementor-widget-image\" data-id=\"c385787\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"488\" height=\"390\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/xmrig-initializer-code-488x390.jpg\" class=\"attachment-large size-large wp-image-7258\" alt=\"\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/xmrig-initializer-code-488x390.jpg 488w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/xmrig-initializer-code-300x240.jpg 300w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/xmrig-initializer-code.jpg 498w\" sizes=\"(max-width: 488px) 100vw, 488px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a4a5128 e-flex e-con-boxed e-con e-parent\" data-id=\"a4a5128\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-0786267 elementor-widget elementor-widget-text-editor\" data-id=\"0786267\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"NormalTextRun SCXW158763219 BCX0\">After <\/span><span class=\"NormalTextRun SCXW158763219 BCX0\">determining<\/span><span class=\"NormalTextRun SCXW158763219 BCX0\"> the working <\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW158763219 BCX0\">pool<\/span><span class=\"NormalTextRun SCXW158763219 BCX0\"> endpoint, the method constructs and returns an array of command-line arguments used to launch an <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW158763219 BCX0\">XMRig<\/span><span class=\"NormalTextRun SCXW158763219 BCX0\"> miner with the following configuration:<\/span><\/p>\n<ul>\n<li><span class=\"TextRun SCXW19988857 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW19988857 BCX0\">-o &lt;pool&gt;: The mining pool endpoint (direct or proxy)<\/span><\/span><\/li>\n<li><span class=\"TextRun SCXW177954385 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW177954385 BCX0\">-k: Keepalive flag<\/span><\/span><\/li>\n<li><span class=\"NormalTextRun SCXW18037910 BCX0\">&#8212;<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW18037910 BCX0\">tls<\/span><span class=\"NormalTextRun SCXW18037910 BCX0\">: Enable TLS encryption<\/span><\/li>\n<li><span class=\"TextRun SCXW50138028 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW50138028 BCX0\">-u &lt;wallet&gt;: Monero wallet address where mined coins are sent<\/span><\/span><\/li>\n<li><span class=\"TextRun SCXW41662717 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW41662717 BCX0\">&#8211;coin <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW41662717 BCX0\">monero<\/span><span class=\"NormalTextRun SCXW41662717 BCX0\">: Specifies the coin<\/span><\/span><span class=\"EOP SCXW41662717 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span class=\"TextRun SCXW135609650 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW135609650 BCX0\">-p &lt;password&gt;: <\/span><span class=\"NormalTextRun SCXW135609650 BCX0\">Generates using current date and UUID<\/span><\/span><span class=\"EOP SCXW135609650 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><span class=\"TextRun SCXW129034967 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW129034967 BCX0\">&#8212;<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW129034967 BCX0\">nicehash<\/span><span class=\"NormalTextRun SCXW129034967 BCX0\">: Adjusts mining strategy for <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW129034967 BCX0\">NiceHash<\/span><span class=\"NormalTextRun SCXW129034967 BCX0\"> compatib<\/span><span class=\"NormalTextRun SCXW129034967 BCX0\">ility<\/span><\/span><span class=\"EOP SCXW129034967 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span class=\"TextRun SCXW198826301 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW198826301 BCX0\">The code shown in Figure 1<\/span><span class=\"NormalTextRun SCXW198826301 BCX0\">2<\/span> <span class=\"NormalTextRun SCXW198826301 BCX0\">demonstrates<\/span><span class=\"NormalTextRun SCXW198826301 BCX0\"> how the d-miner execution is <\/span><span class=\"NormalTextRun SCXW198826301 BCX0\">initiated<\/span><span class=\"NormalTextRun SCXW198826301 BCX0\">. First, it calls NMuU8KNchX5bP8<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW198826301 BCX0\">Oy(<\/span><span class=\"NormalTextRun SCXW198826301 BCX0\">) to retrieve the arguments. Second, it obtains the path to the d-miner file. Finally, it executes d-miner using the retrieved arguments and file path.<\/span><\/span><span class=\"EOP SCXW198826301 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-1027656 e-flex e-con-boxed e-con e-parent\" data-id=\"1027656\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f213ebc elementor-widget elementor-widget-image\" data-id=\"f213ebc\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"147\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/code-used-to-start-d-miner-execution-650x149.jpg\" class=\"attachment-large size-large wp-image-7259\" alt=\"code used to start d-miner execution\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/code-used-to-start-d-miner-execution-650x149.jpg 650w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/code-used-to-start-d-miner-execution-300x69.jpg 300w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/code-used-to-start-d-miner-execution.jpg 659w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-914b1ed e-flex e-con-boxed e-con e-parent\" data-id=\"914b1ed\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-bbe8cbf elementor-widget elementor-widget-text-editor\" data-id=\"bbe8cbf\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW12233718 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW12233718 BCX0\">The following code snippet <\/span><span class=\"NormalTextRun SCXW12233718 BCX0\">is responsible for<\/span><span class=\"NormalTextRun SCXW12233718 BCX0\"> uploading the report.txt file generated by the malware. This file captures the <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW12233718 BCX0\">stdout<\/span><span class=\"NormalTextRun SCXW12233718 BCX0\"> output of the <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW12233718 BCX0\">XMRig<\/span><span class=\"NormalTextRun SCXW12233718 BCX0\"> mining process, providing insight into the miner&#8217;s execution and activity.<\/span><\/span><span class=\"EOP SCXW12233718 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b1e7013 e-flex e-con-boxed e-con e-parent\" data-id=\"b1e7013\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-15b81a3 elementor-widget elementor-widget-image\" data-id=\"15b81a3\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"378\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/code-used-to-upload-650x384.jpg\" class=\"attachment-large size-large wp-image-7260\" alt=\"code used to upload\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/code-used-to-upload-650x384.jpg 650w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/code-used-to-upload-300x177.jpg 300w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/code-used-to-upload.jpg 675w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-38b283b e-flex e-con-boxed e-con e-parent\" data-id=\"38b283b\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-91d960a elementor-widget elementor-widget-text-editor\" data-id=\"91d960a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h2><span class=\"TextRun SCXW138277780 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW138277780 BCX0\">Logcat Reveals Complete Picture:<\/span><\/span><span class=\"EOP SCXW138277780 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/h2>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-7c593ba e-flex e-con-boxed e-con e-parent\" data-id=\"7c593ba\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-50766f7 elementor-widget elementor-widget-text-editor\" data-id=\"50766f7\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW165493837 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW165493837 BCX0\">The malware author has logged every action performed by the application as it sends standard output (<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW165493837 BCX0\">stdout<\/span><span class=\"NormalTextRun SCXW165493837 BCX0\">) data to the mining pool, making Logcat a valuable source for understanding the malware\u2019s full behavior.<\/span><\/span><span class=\"EOP SCXW165493837 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b186353 e-flex e-con-boxed e-con e-parent\" data-id=\"b186353\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c7143c4 elementor-widget elementor-widget-text-editor\" data-id=\"c7143c4\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h3><span class=\"TextRun SCXW55722094 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW55722094 BCX0\">Periodic Device Monitoring:<\/span><\/span><\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-333a0c1 e-flex e-con-boxed e-con e-parent\" data-id=\"333a0c1\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-01ab988 elementor-widget elementor-widget-text-editor\" data-id=\"01ab988\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW55722094 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW55722094 BCX0\">Upon execution, the app checks\u2014every 5 seconds\u2014the battery level, charging status, recent installation status, and whether the device is locked. <\/span><\/span><span class=\"TextRun SCXW55722094 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW55722094 BCX0\">(See Figure 1<\/span><span class=\"NormalTextRun SCXW55722094 BCX0\">4<\/span><span class=\"NormalTextRun SCXW55722094 BCX0\">)<\/span><\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-96f1074 e-flex e-con-boxed e-con e-parent\" data-id=\"96f1074\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-0066bb2 elementor-widget elementor-widget-image\" data-id=\"0066bb2\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"244\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/logcat-screenshot-1.jpg\" class=\"attachment-large size-large wp-image-7261\" alt=\"Logcat screenshot 1\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/logcat-screenshot-1.jpg 648w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/logcat-screenshot-1-300x114.jpg 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-8926e8d e-flex e-con-boxed e-con e-parent\" data-id=\"8926e8d\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-60fed19 elementor-widget elementor-widget-text-editor\" data-id=\"60fed19\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h3><span class=\"TextRun SCXW32171681 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW32171681 BCX0\">Mining Triggered on Device Lock:<\/span><\/span><\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-8719d8d e-flex e-con-boxed e-con e-parent\" data-id=\"8719d8d\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-64dd6b0 elementor-widget elementor-widget-text-editor\" data-id=\"64dd6b0\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW262113552 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW262113552 BCX0\">As soon as the device is locked (i.e., <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW262113552 BCX0\">isDeviceLocked<\/span><span class=\"NormalTextRun SCXW262113552 BCX0\"> becomes true), the malware <\/span><span class=\"NormalTextRun SCXW262113552 BCX0\">initiates<\/span><span class=\"NormalTextRun SCXW262113552 BCX0\"> its mining process. It connects to a Monero mining pool (pool.uasecurity.org) over TLS and receives a mining job using the <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW262113552 BCX0\">RandomX<\/span><span class=\"NormalTextRun SCXW262113552 BCX0\"> algorithm. The malware then <\/span><span class=\"NormalTextRun SCXW262113552 BCX0\">allocates<\/span><span class=\"NormalTextRun SCXW262113552 BCX0\"> approximately 2.3 GB of RAM and starts mining using 8 CPU threads.<\/span> <\/span><span class=\"TextRun SCXW262113552 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW262113552 BCX0\">(See Figure 1<\/span><span class=\"NormalTextRun SCXW262113552 BCX0\">5<\/span><span class=\"NormalTextRun SCXW262113552 BCX0\">)<\/span><\/span><span class=\"EOP SCXW262113552 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-295aaf7 e-flex e-con-boxed e-con e-parent\" data-id=\"295aaf7\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f1e67cf elementor-widget elementor-widget-image\" data-id=\"f1e67cf\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"390\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/logcat-screenshot-2-602x390.jpg\" class=\"attachment-large size-large wp-image-7262\" alt=\"\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/logcat-screenshot-2-602x390.jpg 602w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/logcat-screenshot-2-300x194.jpg 300w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/logcat-screenshot-2.jpg 636w\" sizes=\"(max-width: 602px) 100vw, 602px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-6cb9ef7 e-flex e-con-boxed e-con e-parent\" data-id=\"6cb9ef7\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-0c65514 elementor-widget elementor-widget-text-editor\" data-id=\"0c65514\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h3><span class=\"TextRun SCXW236155907 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW236155907 BCX0\">Mining Stops on Device Unlock:<\/span><\/span><\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-3a8238b e-flex e-con-boxed e-con e-parent\" data-id=\"3a8238b\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b2fa0f0 elementor-widget elementor-widget-text-editor\" data-id=\"b2fa0f0\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW176866166 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW176866166 BCX0\">As soon as the device is unlocked, the malware halts its mining activity and transitions into a monitoring state. <\/span><\/span><span class=\"TextRun SCXW176866166 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW176866166 BCX0\">(See Figure 1<\/span><span class=\"NormalTextRun SCXW176866166 BCX0\">6<\/span><span class=\"NormalTextRun SCXW176866166 BCX0\">)<\/span><\/span><span class=\"EOP SCXW176866166 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-9f1d122 e-flex e-con-boxed e-con e-parent\" data-id=\"9f1d122\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-a5f4c91 elementor-widget elementor-widget-image\" data-id=\"a5f4c91\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"607\" height=\"277\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/logcat-screenshot-3.jpg\" class=\"attachment-large size-large wp-image-7263\" alt=\"Logcat screenshot 3\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/logcat-screenshot-3.jpg 607w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/logcat-screenshot-3-300x137.jpg 300w\" sizes=\"(max-width: 607px) 100vw, 607px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-fac2b5e e-flex e-con-boxed e-con e-parent\" data-id=\"fac2b5e\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e133fa3 elementor-widget elementor-widget-text-editor\" data-id=\"e133fa3\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h3><span class=\"TextRun SCXW184761916 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW184761916 BCX0\">Mining Resumes on Device Lock:<\/span><\/span><span class=\"LineBreakBlob BlobObject DragDrop SCXW184761916 BCX0\"><span class=\"SCXW184761916 BCX0\">\u00a0<\/span><br class=\"SCXW184761916 BCX0\" \/><\/span><\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b9f2074 e-flex e-con-boxed e-con e-parent\" data-id=\"b9f2074\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-fcbcfb4 elementor-widget elementor-widget-text-editor\" data-id=\"fcbcfb4\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW184761916 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW184761916 BCX0\">Once the device is locked again, the malware resumes mining activity. <\/span><\/span><span class=\"TextRun SCXW184761916 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW184761916 BCX0\">(See Figure 1<\/span><span class=\"NormalTextRun SCXW184761916 BCX0\">7<\/span><span class=\"NormalTextRun SCXW184761916 BCX0\">)<\/span><\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b9e2cbf e-flex e-con-boxed e-con e-parent\" data-id=\"b9e2cbf\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7067b86 elementor-widget elementor-widget-image\" data-id=\"7067b86\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"591\" height=\"266\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/logcat-screenshot-4.jpg\" class=\"attachment-large size-large wp-image-7264\" alt=\"Logcat screenshot 4\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/logcat-screenshot-4.jpg 591w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/logcat-screenshot-4-300x135.jpg 300w\" sizes=\"(max-width: 591px) 100vw, 591px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-89ab904 e-flex e-con-boxed e-con e-parent\" data-id=\"89ab904\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6ca8dbd elementor-widget elementor-widget-text-editor\" data-id=\"6ca8dbd\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h3><span class=\"TextRun SCXW216625569 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW216625569 BCX0\">Effect on the device<\/span><\/span><\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-44e7054 e-flex e-con-boxed e-con e-parent\" data-id=\"44e7054\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-386fe02 elementor-widget elementor-widget-text-editor\" data-id=\"386fe02\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW209402694 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW209402694 BCX0\">The malware significantly strains the device by consuming high CPU and memory resources, leading to overheating and degraded performance.<\/span><\/span><\/p>\n<p><span class=\"TextRun SCXW174981759 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW174981759 BCX0\">The top command output clearly shows the d-miner process running under the app&#8217;s user (u0_a606), consuming over 746% CPU and 27.5% memory.<\/span><\/span><span class=\"TextRun SCXW174981759 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW174981759 BCX0\"> (See Figure 18)<\/span><\/span><span class=\"TextRun SCXW174981759 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"> <span class=\"NormalTextRun SCXW174981759 BCX0\">This confirms continuous <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW174981759 BCX0\">cryptomining<\/span><span class=\"NormalTextRun SCXW174981759 BCX0\"> activity in the background, heavily impacting device performance.<\/span><\/span><span class=\"EOP SCXW174981759 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b56d7b9 e-flex e-con-boxed e-con e-parent\" data-id=\"b56d7b9\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-57b6bfb elementor-widget elementor-widget-image\" data-id=\"57b6bfb\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"574\" height=\"218\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/increased-cpu-usage.jpg\" class=\"attachment-large size-large wp-image-7265\" alt=\"\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/increased-cpu-usage.jpg 574w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/increased-cpu-usage-300x114.jpg 300w\" sizes=\"(max-width: 574px) 100vw, 574px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d480b22 e-flex e-con-boxed e-con e-parent\" data-id=\"d480b22\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-26ffde2 elementor-widget elementor-widget-text-editor\" data-id=\"26ffde2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW115477834 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW115477834 BCX0\">Figure 19 shows how the device temperature rises steadily over a 30-minute span while the phone remained locked, increasing from 32.0\u202f\u00b0C to 45.0\u202f\u00b0C. This gradual rise confirms that the miner continues to <\/span><span class=\"NormalTextRun SCXW115477834 BCX0\">operate<\/span><span class=\"NormalTextRun SCXW115477834 BCX0\"> in the background, causing sustained CPU usage and abnormal heat buildup even when the device is idle.<\/span><\/span><span class=\"EOP SCXW115477834 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-7e01171 e-flex e-con-boxed e-con e-parent\" data-id=\"7e01171\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3d0876c elementor-widget elementor-widget-image\" data-id=\"3d0876c\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"392\" height=\"390\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/increased-device-temperature-392x390.jpg\" class=\"attachment-large size-large wp-image-7266\" alt=\"Increased device temperature\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/increased-device-temperature-392x390.jpg 392w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/increased-device-temperature-150x150.jpg 150w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/increased-device-temperature-24x24.jpg 24w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/increased-device-temperature-48x48.jpg 48w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/increased-device-temperature-96x96.jpg 96w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/increased-device-temperature.jpg 491w\" sizes=\"(max-width: 392px) 100vw, 392px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-7f7a927 e-flex e-con-boxed e-con e-parent\" data-id=\"7f7a927\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-de6f080 elementor-widget elementor-widget-text-editor\" data-id=\"de6f080\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW154735910 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW154735910 BCX0\">Prolonged activity may damage the device&#8217;s hardware or battery and pose safety risks if left unnoticed.<\/span><\/span><span class=\"EOP SCXW154735910 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-0261215 e-flex e-con-boxed e-con e-parent\" data-id=\"0261215\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3e6809c elementor-widget elementor-widget-text-editor\" data-id=\"3e6809c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h3><span class=\"TextRun SCXW199865959 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW199865959 BCX0\" data-ccp-parastyle=\"heading 3\">MITRE ATT&amp;CK Tactics and Techniques:<\/span><\/span><\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-8ea8609 e-flex e-con-boxed e-con e-parent\" data-id=\"8ea8609\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-bb84941 elementor-widget elementor-widget-image\" data-id=\"bb84941\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"632\" height=\"135\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/tactics-and-techniques.jpg\" class=\"attachment-large size-large wp-image-7267\" alt=\"MITRE ATT&amp;CK Tactics and Techniques\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/tactics-and-techniques.jpg 632w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/tactics-and-techniques-300x64.jpg 300w\" sizes=\"(max-width: 632px) 100vw, 632px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d856f18 e-flex e-con-boxed e-con e-parent\" data-id=\"d856f18\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3e2198e elementor-widget elementor-widget-text-editor\" data-id=\"3e2198e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h4><span class=\"TextRun SCXW170320536 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW170320536 BCX0\" data-ccp-parastyle=\"heading 2\">Quick Heal Detection of Android Malware<\/span><\/span><span class=\"EOP SCXW170320536 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335557856&quot;:16777215,&quot;335559738&quot;:0,&quot;335559739&quot;:105}\">\u00a0<\/span><\/h4>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-545ec96 e-flex e-con-boxed e-con e-parent\" data-id=\"545ec96\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e035131 elementor-widget elementor-widget-text-editor\" data-id=\"e035131\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"NormalTextRun SCXW238937553 BCX0\">Quick Heal detects such malicious applications with variants of <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW238937553 BCX0\">Android.<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW238937553 BCX0\">D<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW238937553 BCX0\">miner.A<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-5db999d e-flex e-con-boxed e-con e-parent\" data-id=\"5db999d\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e4ca4cb elementor-widget elementor-widget-text-editor\" data-id=\"e4ca4cb\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW196842954 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW196842954 BCX0\">It is recommended that all mobile users should install a trusted Anti-Virus like \u201cQuick Heal Mobile Security for Android\u201d to mitigate such threats and stay protected. Our antivirus <\/span><span class=\"NormalTextRun SCXW196842954 BCX0\">software restricts users from downloading malicious applications on their mobile devices. Download your Android protection <\/span><\/span><a class=\"Hyperlink SCXW196842954 BCX0\" href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.quickheal.platform.advance.blue.market&amp;hl=en_IN\" target=\"_blank\" rel=\"noreferrer noopener\"><span class=\"TextRun Underlined SCXW196842954 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW196842954 BCX0\" data-ccp-charstyle=\"Hyperlink\">here<\/span><\/span><\/a><span class=\"EOP SCXW196842954 BCX0\" data-ccp-props=\"{&quot;335557856&quot;:16777215,&quot;335559739&quot;:225}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-3c53390 e-flex e-con-boxed e-con e-parent\" data-id=\"3c53390\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f888a84 elementor-widget elementor-widget-text-editor\" data-id=\"f888a84\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h3><span class=\"TextRun SCXW74090348 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW74090348 BCX0\">Conclusion:<\/span><\/span><\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-5345212 e-flex e-con-boxed e-con e-parent\" data-id=\"5345212\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-956f7c7 elementor-widget elementor-widget-text-editor\" data-id=\"956f7c7\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW133435982 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW133435982 BCX0\">This campaign highlights how threat actors abuse trusted banking names like Axis Bank to distribute malware through phishing sites. The malware embeds <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW133435982 BCX0\">XMRig<\/span><span class=\"NormalTextRun SCXW133435982 BCX0\">, a cryptocurrency miner that runs silently in the background, leading to excessive CPU usage, abnormal heating, and potential long-term hardware damage. Beyond phishing sites, such malware can also spread via social media platforms, often disguised under familiar or reputable names to trick users. This reinforces the importance of user awareness, cautious app installation behavior, and robust mobile security solutions to defend against such threats.<\/span><\/span><span class=\"EOP SCXW133435982 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-1c117bb e-flex e-con-boxed e-con e-parent\" data-id=\"1c117bb\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3360957 elementor-widget elementor-widget-text-editor\" data-id=\"3360957\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h3><span class=\"TextRun SCXW5047850 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW5047850 BCX0\">IOCs<\/span><span class=\"NormalTextRun SCXW5047850 BCX0\">:<\/span><\/span><span class=\"EOP SCXW5047850 BCX0\" data-ccp-props=\"{&quot;335557856&quot;:16777215,&quot;335559739&quot;:225}\">\u00a0<\/span><\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a642651 e-flex e-con-boxed e-con e-parent\" data-id=\"a642651\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-48328bb elementor-widget elementor-widget-image\" data-id=\"48328bb\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"584\" height=\"108\" src=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/iocs.jpg\" class=\"attachment-large size-large wp-image-7268\" alt=\"IOCs\" srcset=\"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/iocs.jpg 584w, https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-content\/uploads\/sites\/4\/2025\/07\/iocs-300x55.jpg 300w\" sizes=\"(max-width: 584px) 100vw, 584px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a76c611 e-flex e-con-boxed e-con e-parent\" data-id=\"a76c611\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5dc0d41 elementor-widget elementor-widget-text-editor\" data-id=\"5dc0d41\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h4><span class=\"TextRun SCXW159931664 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW159931664 BCX0\">URLs<\/span><span class=\"NormalTextRun SCXW159931664 BCX0\">:<\/span><\/span><span class=\"EOP SCXW159931664 BCX0\" data-ccp-props=\"{&quot;335557856&quot;:16777215,&quot;335559739&quot;:225}\">\u00a0<\/span><\/h4>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d436225 e-flex e-con-boxed e-con e-parent\" data-id=\"d436225\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-01ea911 elementor-widget elementor-widget-text-editor\" data-id=\"01ea911\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"NormalTextRun SCXW31410790 BCX0\">hxxps:\/\/ <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW31410790 BCX0\">getxapp<\/span><span class=\"NormalTextRun SCXW31410790 BCX0\">[.]in<\/span><\/p>\n<p><span class=\"TextRun SCXW227102769 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW227102769 BCX0\">h<\/span><span class=\"NormalTextRun SCXW227102769 BCX0\">xx<\/span><span class=\"NormalTextRun SCXW227102769 BCX0\">ps:\/\/ <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW227102769 BCX0\">accessor.pages<\/span><span class=\"NormalTextRun SCXW227102769 BCX0\">[<\/span><span class=\"NormalTextRun SCXW227102769 BCX0\">.<\/span><span class=\"NormalTextRun SCXW227102769 BCX0\">]<\/span><span class=\"NormalTextRun SCXW227102769 BCX0\">dev<\/span><\/span><span class=\"EOP SCXW227102769 BCX0\" data-ccp-props=\"{&quot;335557856&quot;:16777215,&quot;335559739&quot;:225}\">\u00a0<\/span><\/p>\n<p><span class=\"TextRun SCXW15316361 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW15316361 BCX0\">hxxps:\/\/uasecurity[.]org\/<\/span><\/span><\/p>\n<p><span class=\"TextRun SCXW35724172 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW35724172 BCX0\">hxxps:\/\/github[.]com\/backend-url-provider\/access\/raw\/refs\/heads\/main\/<\/span><\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b257aac e-flex e-con-boxed e-con e-parent\" data-id=\"b257aac\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d0b00cc elementor-widget elementor-widget-text-editor\" data-id=\"d0b00cc\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h4><span class=\"TextRun SCXW81627012 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW81627012 BCX0\">Min<\/span><span class=\"NormalTextRun SCXW81627012 BCX0\">ing pool domains<\/span><\/span><span class=\"TextRun SCXW81627012 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW81627012 BCX0\">:<\/span><\/span><span class=\"EOP SCXW81627012 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/h4>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-170ed8e e-flex e-con-boxed e-con e-parent\" data-id=\"170ed8e\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ffbeb07 elementor-widget elementor-widget-text-editor\" data-id=\"ffbeb07\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW70809560 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SpellingErrorV2Themed SCXW70809560 BCX0\">P<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW70809560 BCX0\">ool.uasecurity<\/span><span class=\"NormalTextRun SCXW70809560 BCX0\">[<\/span><span class=\"NormalTextRun SCXW70809560 BCX0\">.<\/span><span class=\"NormalTextRun SCXW70809560 BCX0\">]<\/span><span class=\"NormalTextRun SCXW70809560 BCX0\">org<\/span><\/span><span class=\"EOP SCXW70809560 BCX0\" data-ccp-props=\"{&quot;335559731&quot;:720,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span class=\"TextRun SCXW231833186 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW231833186 BCX0\">pool-<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW231833186 BCX0\">proxy.uasecurity<\/span><span class=\"NormalTextRun SCXW231833186 BCX0\">[<\/span><span class=\"NormalTextRun SCXW231833186 BCX0\">.<\/span><span class=\"NormalTextRun SCXW231833186 BCX0\">]<\/span><span class=\"NormalTextRun SCXW231833186 BCX0\">org<\/span><\/span><span class=\"EOP SCXW231833186 BCX0\" data-ccp-props=\"{&quot;335559731&quot;:720,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-06f57dd e-flex e-con-boxed e-con e-parent\" data-id=\"06f57dd\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-eee2ba2 elementor-widget elementor-widget-text-editor\" data-id=\"eee2ba2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h4><span class=\"TextRun SCXW81444793 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW81444793 BCX0\">Wallet address<\/span><\/span><span class=\"TextRun SCXW81444793 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW81444793 BCX0\">:<\/span><\/span><\/h4>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-df8f7e6 e-flex e-con-boxed e-con e-parent\" data-id=\"df8f7e6\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-df7505d elementor-widget elementor-widget-text-editor\" data-id=\"df7505d\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span class=\"TextRun SCXW49159608 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW49159608 BCX0\">44DhRjPJrQeNDqomajQjBvdD39UiQvoeh67ABYSWMZWEWKCB3Tzhvtw2jB9KC3UARF1gsBuhvEoNEd2qSDz76BYEPYNuPKD<\/span><\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-03049ab e-flex e-con-boxed e-con e-parent\" data-id=\"03049ab\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-0162ff3 elementor-widget elementor-widget-text-editor\" data-id=\"0162ff3\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<h3><span class=\"TextRun SCXW105586173 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW105586173 BCX0\">TIPS TO STAY DIGITALLY SAFE:<\/span><\/span><\/h3>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-1124b82 e-flex e-con-boxed e-con e-parent\" data-id=\"1124b82\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-core-v316-plus=\"true\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-65b114e elementor-widget elementor-widget-text-editor\" data-id=\"65b114e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul>\n<li><span class=\"TextRun SCXW256329974 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW256329974 BCX0\">Download applications only from trusted sources like <\/span><\/span><a class=\"Hyperlink SCXW256329974 BCX0\" href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.quickheal.platform&amp;hl=en_IN&amp;gl=US\" target=\"_blank\" rel=\"noreferrer noopener\"><span class=\"TextRun Underlined SCXW256329974 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW256329974 BCX0\" data-ccp-charstyle=\"Hyperlink\">Google Play Store.<\/span><\/span><\/a><span class=\"TextRun SCXW256329974 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW256329974 BCX0\">\u00a0<\/span><\/span><span class=\"EOP SCXW256329974 BCX0\" data-ccp-props=\"{&quot;335557856&quot;:16777215,&quot;335559685&quot;:255,&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<li><span class=\"TextRun SCXW1921668 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW1921668 BCX0\">Do not click on any links received through messages or any other social media platforms as they may be intentionally or inadvertently pointing to malicious sites.<\/span><\/span><\/li>\n<li><span class=\"TextRun SCXW89836226 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW89836226 BCX0\">Read the pop-up messages you get from the Android system before accepting or\/allowing any new permissions.<\/span><\/span><\/li>\n<li><span class=\"TextRun SCXW164979053 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW164979053 BCX0\">Be extremely cautious about what applications you download on your phone, as malware authors can easily spoof the original applications\u2019 names, icons, and developer details.\u00a0<\/span><\/span><\/li>\n<li><span class=\"TextRun SCXW209211336 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW209211336 BCX0\">For enhanced protection of your phone, always use a good antivirus like <\/span><\/span><a class=\"Hyperlink SCXW209211336 BCX0\" href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.quickheal.platform.advance.blue.market\" target=\"_blank\" rel=\"noreferrer noopener\"><span class=\"TextRun Underlined SCXW209211336 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW209211336 BCX0\" data-ccp-charstyle=\"Hyperlink\">Quick Heal Mobile Security for Android.<\/span><\/span><\/a><span class=\"TextRun SCXW209211336 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW209211336 BCX0\">\u00a0<\/span><\/span><span class=\"EOP SCXW209211336 BCX0\" data-ccp-props=\"{&quot;335557856&quot;:16777215,&quot;335559685&quot;:255,&quot;335559739&quot;:0}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span class=\"TextRun SCXW88115767 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW88115767 BCX0\">Don\u2019t<\/span><span class=\"NormalTextRun SCXW88115767 BCX0\"> wait! <\/span><\/span><span class=\"TextRun SCXW88115767 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW88115767 BCX0\"><strong>Secure your smartphones today with Quick Heal Total Security for Mobiles &amp; Smartphones<\/strong> \u2013 <\/span><\/span><a class=\"Hyperlink SCXW88115767 BCX0\" href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.quickheal.platform.advance.blue.market\" target=\"_blank\" rel=\"noreferrer noopener\"><span class=\"TextRun Underlined SCXW88115767 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW88115767 BCX0\" data-ccp-charstyle=\"Hyperlink\">Buy or Renew Today!<\/span><\/span><\/a><span class=\"EOP SCXW88115767 BCX0\" data-ccp-props=\"{&quot;335557856&quot;:16777215,&quot;335559739&quot;:225}\">\u00a0<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>The global craze around cryptocurrency has fueled both innovation and exploitation. While many legally chase digital gold, cybercriminals hijack devices to mine it covertly. Recently, we came across a phishing website impersonating a well-known bank, hosting a fake Android app. While the app does not function like a real banking application, it used the bank\u2019s [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":7233,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"footnotes":""},"categories":[29],"tags":[],"class_list":["post-7246","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-frauds"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/posts\/7246"}],"collection":[{"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/comments?post=7246"}],"version-history":[{"count":7,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/posts\/7246\/revisions"}],"predecessor-version":[{"id":7278,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/posts\/7246\/revisions\/7278"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/media\/7233"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/media?parent=7246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/categories?post=7246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.co.in\/knowledge-centre\/wp-json\/wp\/v2\/tags?post=7246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}