Scams and Malware Abusing Google Branding to Steal Cryptocurrency
Security researchers reported multiple campaigns abusing Google branding to drive crypto theft. Malwarebytes identified a polished fraudulent “presale” site promoting a fake token called “Google Coin” and embedding a chatbot that impersonates Google Gemini; the bot delivers a scripted investment pitch, cites specific token pricing and a “2026 roadmap,” and steers victims toward sending irreversible cryptocurrency payments while avoiding verifiable corporate, regulatory, or registration details.
Separately, Kaspersky’s Securelist detailed BeatBanker, an Android malware campaign targeting Brazil that spreads via phishing to a website masquerading as the Google Play Store (e.g., cupomgratisfood[.]shop) and distributing trojanized APKs such as a fake “INSS Reembolso” app. The malware combines a cryptominer with a banking Trojan capable of device hijacking and screen overlays, including swapping destination addresses during USDT transactions in apps like Binance and Trust Wallet; newer samples reportedly replaced the banking module with BTMOB RAT while retaining the broader infection chain and persistence techniques (including looping near-inaudible audio to resist termination).
Timeline
Mar 10, 2026
Malwarebytes reports fake Gemini chatbot promoting 'Google Coin' scam
Malwarebytes researchers reported a cryptocurrency scam that impersonates Google branding and a Gemini-like AI assistant to market a fake token called “Google Coin.” The fraudulent presale site used a scripted chatbot, false trust logos, and directed victims to a fake wallet dashboard and Bitcoin payment request.
Mar 10, 2026
Newer BeatBanker variants switch from banking Trojan to BTMOB RAT
Kaspersky said newer BeatBanker samples retained the miner and persistence mechanisms but replaced the earlier banking module with the BTMOB RAT, a MaaS remote administration tool associated with the CraxsRAT/CypherRAT/SpySolr ecosystem. The report also detailed extensive remote-control capabilities including screen capture, keylogging, SMS sending, device locking or wiping, and audio recording.
Mar 10, 2026
BeatBanker Android campaign targets Brazilian users via fake Play Store site
Kaspersky reported an Android malware campaign in Brazil in which victims were lured through phishing pages mimicking the Google Play Store to install trojanized apps such as “INSS Reembolso.” The malware used packed loaders, in-memory DEX execution, persistence tricks, and deployed a Monero miner while earlier waves also included a banking Trojan.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Fake Gemini Chatbot Used to Sell Phony “Google Coin” Cryptocurrency
Researchers reported an active cryptocurrency scam using a polished “Google Coin” presale website paired with a **fake chatbot impersonating Google’s Gemini AI assistant**. The site presents “Google Coin” as a legitimate Google-backed token (Google has no such cryptocurrency) and uses Gemini-like branding cues (e.g., sparkle icon and “Online” status) to build trust while guiding victims toward **irreversible crypto payments** to attacker-controlled wallets. The impersonating chatbot is designed to function as an automated closer: it answers investment questions, provides specific (fabricated) return projections (e.g., presale price vs. expected listing price), and persistently steers users toward purchase. Analysis noted the bot maintained a consistent “official helper” persona while **refusing verifiable company details** (registered entity, regulator/license, audit firm, official email) and deflecting concerns with vague claims about “transparency” and “security,” mirroring high-pressure social engineering tactics previously requiring human operators.
1 months ago
BeatBanker Android Malware Campaign Impersonating Starlink and Government Apps
**Kaspersky** reported a new Android malware campaign dubbed **BeatBanker** targeting users in Brazil, distributed via phishing sites that closely mimic the *Google Play Store* and lure victims into installing trojanized APKs posing as legitimate apps such as **Starlink** and the Brazilian government services app **INSS Reembolso**. The infection chain is staged to reduce suspicion: an initial decoy app presents a fake in-app “update” flow that prompts users to grant permission to install additional apps/modules, after which the malware pulls down further payloads and requests expanded privileges. Technical reporting indicates BeatBanker blends **banking trojan** capabilities with **cryptomining** (including a modified *XMRig*), and newer variants may deploy the commodity Android RAT **BTMOB** in place of the banking module, enabling broad device takeover (e.g., keylogging, screen recording, camera access, GPS tracking, and credential capture). The malware uses evasion techniques such as decrypting and loading hidden DEX code in-memory, performing anti-analysis environment checks, delaying malicious actions post-install, and maintaining persistence by continuously playing a near-inaudible MP3 (`output8.mp3`) to keep a foreground service alive and reduce the likelihood of the process being suspended by Android power management.
1 months ago
AI-Assisted Cryptocurrency Investment Scams Targeting Japan via Malvertising and Pig-Butchering Tactics
Threat actors are running cryptocurrency investment scams across Asia—**heavily targeting Japan**—that blend **malvertising** (paid ads on platforms such as Facebook and Instagram) with **pig butchering**-style long-con social engineering. Infoblox reported identifying large clusters of suspicious domains (including domains consistent with **registered domain generation algorithms (RDGAs)**) disproportionately queried by users in Japan; victims are funneled from fake ads impersonating financial experts or “AI-driven” trading systems to lure sites that push them into messaging apps (e.g., **LINE**, WhatsApp, KakaoTalk) via links or QR codes. Once in chats, victims are engaged by **AI bots** posing as experts/assistants, fed fabricated success stories, and nudged from small “test” deposits to larger transfers; when victims attempt withdrawals, scammers demand additional payments such as a **“release fee.”** Reported losses tied to this activity have reached **up to ¥10 million** per victim. A related pattern shows scammers using **AI chatbots as high-pressure sales agents** for fake crypto offerings: Malwarebytes documented a live “**Google Coin**” presale site using a chatbot impersonating Google’s **Gemini** branding to provide tailored investment projections and steer victims toward **irreversible cryptocurrency payments**; Google does not have a cryptocurrency. While this “Google Coin” case is a separate scam instance from the Japan-focused malvertising/pig-butchering operation, it reinforces the same operational shift highlighted by Infoblox: **automation and AI-driven conversational tooling** are increasingly replacing human operators to scale persuasion, maintain consistent scam personas, and accelerate victim conversion from initial interest to payment.
1 months ago