Scams and Malware Abusing Google Branding to Steal Cryptocurrency
Security researchers reported multiple campaigns abusing Google branding to drive crypto theft. Malwarebytes identified a polished fraudulent “presale” site promoting a fake token called “Google Coin” and embedding a chatbot that impersonates Google Gemini; the bot delivers a scripted investment pitch, cites specific token pricing and a “2026 roadmap,” and steers victims toward sending irreversible cryptocurrency payments while avoiding verifiable corporate, regulatory, or registration details.
Separately, Kaspersky’s Securelist detailed BeatBanker, an Android malware campaign targeting Brazil that spreads via phishing to a website masquerading as the Google Play Store (e.g., cupomgratisfood[.]shop) and distributing trojanized APKs such as a fake “INSS Reembolso” app. The malware combines a cryptominer with a banking Trojan capable of device hijacking and screen overlays, including swapping destination addresses during USDT transactions in apps like Binance and Trust Wallet; newer samples reportedly replaced the banking module with BTMOB RAT while retaining the broader infection chain and persistence techniques (including looping near-inaudible audio to resist termination).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Malwarebytes reports fake Gemini chatbot promoting 'Google Coin' scam
Malwarebytes researchers reported a cryptocurrency scam that impersonates Google branding and a Gemini-like AI assistant to market a fake token called “Google Coin.” The fraudulent presale site used a scripted chatbot, false trust logos, and directed victims to a fake wallet dashboard and Bitcoin payment request.
Newer BeatBanker variants switch from banking Trojan to BTMOB RAT
Kaspersky said newer BeatBanker samples retained the miner and persistence mechanisms but replaced the earlier banking module with the BTMOB RAT, a MaaS remote administration tool associated with the CraxsRAT/CypherRAT/SpySolr ecosystem. The report also detailed extensive remote-control capabilities including screen capture, keylogging, SMS sending, device locking or wiping, and audio recording.
BeatBanker Android campaign targets Brazilian users via fake Play Store site
Kaspersky reported an Android malware campaign in Brazil in which victims were lured through phishing pages mimicking the Google Play Store to install trojanized apps such as “INSS Reembolso.” The malware used packed loaders, in-memory DEX execution, persistence tricks, and deployed a Monero miner while earlier waves also included a banking Trojan.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fake Gemini Chatbot Used to Sell Phony “Google Coin” Cryptocurrency
Researchers reported an active cryptocurrency scam using a polished “Google Coin” presale website paired with a **fake chatbot impersonating Google’s Gemini AI assistant**. The site presents “Google Coin” as a legitimate Google-backed token (Google has no such cryptocurrency) and uses Gemini-like branding cues (e.g., sparkle icon and “Online” status) to build trust while guiding victims toward **irreversible crypto payments** to attacker-controlled wallets. The impersonating chatbot is designed to function as an automated closer: it answers investment questions, provides specific (fabricated) return projections (e.g., presale price vs. expected listing price), and persistently steers users toward purchase. Analysis noted the bot maintained a consistent “official helper” persona while **refusing verifiable company details** (registered entity, regulator/license, audit firm, official email) and deflecting concerns with vague claims about “transparency” and “security,” mirroring high-pressure social engineering tactics previously requiring human operators.
Mar 21, 2026
BeatBanker Android Malware Campaign Impersonating Starlink and Government Apps
**Kaspersky** reported a new Android malware campaign dubbed **BeatBanker** targeting users in Brazil, distributed via phishing sites that closely mimic the *Google Play Store* and lure victims into installing trojanized APKs posing as legitimate apps such as **Starlink** and the Brazilian government services app **INSS Reembolso**. The infection chain is staged to reduce suspicion: an initial decoy app presents a fake in-app “update” flow that prompts users to grant permission to install additional apps/modules, after which the malware pulls down further payloads and requests expanded privileges. Technical reporting indicates BeatBanker blends **banking trojan** capabilities with **cryptomining** (including a modified *XMRig*), and newer variants may deploy the commodity Android RAT **BTMOB** in place of the banking module, enabling broad device takeover (e.g., keylogging, screen recording, camera access, GPS tracking, and credential capture). The malware uses evasion techniques such as decrypting and loading hidden DEX code in-memory, performing anti-analysis environment checks, delaying malicious actions post-install, and maintaining persistence by continuously playing a near-inaudible MP3 (`output8.mp3`) to keep a foreground service alive and reduce the likelihood of the process being suspended by Android power management.
Mar 21, 2026
AI-Assisted Cryptocurrency Investment Scams Targeting Japan via Malvertising and Pig-Butchering Tactics
Threat actors are running cryptocurrency investment scams across Asia—**heavily targeting Japan**—that blend **malvertising** (paid ads on platforms such as Facebook and Instagram) with **pig butchering**-style long-con social engineering. Infoblox reported identifying large clusters of suspicious domains (including domains consistent with **registered domain generation algorithms (RDGAs)**) disproportionately queried by users in Japan; victims are funneled from fake ads impersonating financial experts or “AI-driven” trading systems to lure sites that push them into messaging apps (e.g., **LINE**, WhatsApp, KakaoTalk) via links or QR codes. Once in chats, victims are engaged by **AI bots** posing as experts/assistants, fed fabricated success stories, and nudged from small “test” deposits to larger transfers; when victims attempt withdrawals, scammers demand additional payments such as a **“release fee.”** Reported losses tied to this activity have reached **up to ¥10 million** per victim. A related pattern shows scammers using **AI chatbots as high-pressure sales agents** for fake crypto offerings: Malwarebytes documented a live “**Google Coin**” presale site using a chatbot impersonating Google’s **Gemini** branding to provide tailored investment projections and steer victims toward **irreversible cryptocurrency payments**; Google does not have a cryptocurrency. While this “Google Coin” case is a separate scam instance from the Japan-focused malvertising/pig-butchering operation, it reinforces the same operational shift highlighted by Infoblox: **automation and AI-driven conversational tooling** are increasingly replacing human operators to scale persuasion, maintain consistent scam personas, and accelerate victim conversion from initial interest to payment.
Mar 21, 2026