A newfound banking trojan named ‘Roamer’ has been found exploiting users on fraudulent cloud mining platforms.
The scammers behind the Roamer banking trojan engage with users through carefully crafted phishing websites. These fraudulent websites prompt users to download applications that are specifically designed to pilfer sensitive data.
Meanwhile, the scammers exploit this opportunity to monitor and extract information related to cryptocurrency transactions.
What the Roamer banking trojan steals
The Roamer banking trojan can take commands to execute malicious tasks.
The Cyble Research & Intelligence Labs (CRIL) discovered instances where the Roamer Banking Trojan was capable of executing a range of operations upon receiving the command “x0000myview”. These included codes such as pinUnlock, slideup, multiClick and more to carry out a multitude of tasks.
The Roamer banking trojan accesses the camera of the targeted user, files in the device, location of the user, SMSes, and takes screenshots of the data on the screen.
How the Roamer banking trojan targets people
CRIL researchers noted that the scammers behind the `banking trojan use their own websites, apps, and a Telegram channel to lure unsuspecting individuals. Roamer banking trojan is designed to work on Android devices.
“In recent years, cloud mining has become a convenient option for individuals interested in entering the cryptocurrency realm without extensive technical expertise or costly mining hardware,” the Cyble blog stated. Cloud mining allows users to remotely mine cryptocurrencies including Bitcoin and Ethereum.
The phishing sites that users were caught in the cybercrime were –
- Hxxps://cloudmining.uk[.]com
- Hxxps://cloud-miner[.]cc
- Hxxps://cloud-miner[.]top – This website differed in appearance from the above two as shown below:
Roamer Android malware spreading via Telegram channel
The Telegram channel called Cloud Mining was detected by CRIL researchers. This channel was operative since May 15, 2023, suggesting the scam is fairly new and may not have had many victims so far.
The Telegram channel, which has over five thousand subscribers at the time of writing, was used to post regular updates about cloud mining schemes.
The channel description reads, “Cloud mining allows you to use the computing power of mining equipment hosted in specialized data centers without owning or maintaining the equipment.”
A post found by Cyble on Cloud Mining called on users to download a fraudulent link claiming to be legitimate and also offered a commission for inviting other users. An APK file named CloudMining.apk is asked to be downloaded.
Creating an account on the Roamer-infected Cloud Mining website
Users are asked to register on the scam website of Cloud Mining and enter their details for the same. They are asked to recharge their accounts by transferring TRX currency. The website has a QR code to start the transactions.
The Roamer mining malware seeks permission to enable accessibility service which it uses to access the data on the device.
Researchers also found 15 other samples of malware that duped users with names similar to games and shopping malls.
The Roamer crypto malware targets 17 wallets including Coinbase, Bitso, and Huobi. It also accesses data from 9 banking applications on the device namely HDFC, MSB, and SCB mobile banking.
Users are urged not to click on random websites related to games, shopping websites, and crypto-wallets as they could be a specially crafted website.
Since the app for the Roamer malware had icons like that of Google Play Store and others, it is also urged that users maintain caution while accessing app stores from online websites.
It would be worth noting that the app store icon on the phishing website of Cloud Mining did not take users to the app store. Instead, it directly started the download of the malicious app from the hacker’s website while showing the app store icon.