A banking trojan known as “Roamer” has recently emerged, targeting users on fraudulent cloud mining platforms. The scammers behind this trojan employ carefully crafted phishing websites to engage with unsuspecting individuals, tricking them into downloading applications that are specifically designed to steal sensitive data. In particular, Roamer focuses on extracting information related to cryptocurrency transactions.
The Roamer banking trojan has the ability to execute various malicious tasks upon receiving specific commands. Researchers at Cyble Research & Intelligence Labs (CRIL) discovered that the trojan responds to the command “x0000myview” and carries out operations such as pin unlocking, sliding up, and multiple clicks. It also has access to the user’s camera, device files, location, SMS messages, and is able to take screenshots of data on the screen.
The scammers behind the Roamer banking trojan utilize their own websites, apps, and even a Telegram channel to lure unsuspecting victims. They take advantage of the growing popularity of cloud mining, a method that allows individuals to remotely mine cryptocurrencies like Bitcoin and Ethereum without the need for extensive technical expertise or costly mining hardware.
The phishing websites used by the scammers include URLs such as “hxxps://cloudmining.uk[.]com,” “hxxps://cloud-miner[.]cc,” and “hxxps://cloud-miner[.]top.” The appearance of these websites is designed to deceive users into thinking they are legitimate cloud mining platforms. However, they are actually vehicles for the Roamer banking trojan.
In addition to the phishing websites, the scammers also employ a Telegram channel called “Cloud Mining” to spread the Roamer malware. This channel has over five thousand subscribers and offers regular updates on cloud mining schemes. One post found on the channel urged users to download a fraudulent link, claiming it to be legitimate and even offering a commission for inviting others to join. The malicious link downloads an APK file named “CloudMining.apk.”
Upon visiting the scam website of Cloud Mining, users are asked to register and provide their details. They are also prompted to recharge their accounts by transferring TRX currency, with a QR code provided for the transaction. At this point, the Roamer banking trojan requests permission to enable accessibility services, which it uses to access data on the user’s device.
Researchers have also discovered 15 other samples of malware that masquerade as games and shopping malls, further duping unsuspecting users. The Roamer malware specifically targets 17 wallets, including popular platforms like Coinbase, Bitso, and Huobi. It also accesses data from 9 banking applications, including HDFC, MSB, and SCB mobile banking.
To protect themselves, users are advised not to click on random websites related to games, shopping, and crypto-wallets, as they could be cleverly crafted phishing sites. It is also recommended to exercise caution when accessing app stores from online websites, as the Roamer malware has been found to use icons resembling those of legitimate app stores to deceive users.
As the threat of banking trojans like Roamer continues to evolve, it is crucial for users to stay vigilant and take necessary precautions to safeguard their sensitive information and financial assets. By being aware of potential scams and employing good cybersecurity practices, users can greatly reduce the risk of falling victim to such malicious attacks.