Malware leverages device-lock exploit to mine Monero, draining resources and risking hardware damage
Quick Heal Technologies Limited has uncovered a stealthy Android cryptojacking campaign in which a fake banking application, posing as an Axis Bank app, covertly mines cryptocurrency when the device is locked.
During routine threat intelligence monitoring, researchers at Seqrite Labs, Quick Heal’s malware analysis arm, identified a phishing domain, getxapp[.]in, distributing an app named “Axis Card.” Installed outside official app stores, the application presented a counterfeit update prompt but provided no genuine banking services. Instead, it embedded the open-source XMRig miner, which activates during device-lock events to mine Monero (XMR).
According to the company, the miner consumes over 2.3 GB of RAM and eight CPU threads, causing device temperatures to spike from 32°C to 45°C within 30 minutes. This sustained resource drain not only slows performance but also risks long-term battery degradation and hardware damage. To avoid detection, the mining process halts the moment the device is unlocked, preventing users from noticing abnormal activity.
Quick Heal Mobile Security flags the malware as Android.Dminer.A, blocking its installation and execution. It also intercepts attempts to download malicious encrypted native libraries from GitHub, Cloudflare Pages, and attacker-controlled domains such as uasecurity[.]org. The malware connects to Monero pool endpoints at pool.uasecurity.org:9000 for mining operations.
“This campaign is a textbook example of how cybercriminals exploit user trust and daily device behaviour to carry out high-impact attacks,” said a Quick Heal spokesperson. “We strongly advise users to install apps only from trusted sources, avoid unsolicited update prompts, and keep security software active at all times.”
Quick Heal recommends that users experiencing unexplained battery drain, overheating, or performance slowdowns run a full malware scan immediately. In severe cases, a factory reset—after backing up critical data—may be necessary. Victims are encouraged to report such incidents to the national cybercrime portal (cybercrime.gov.in) or call the helpline at 1930.
The discovery underscores the growing sophistication of mobile threats, where attackers increasingly blend social engineering with resource-intensive payloads to remain undetected. By targeting device-lock events, the malware sidesteps traditional detection methods, making proactive security measures critical for users and organisations alike.
