Android Cryptojacker Disguised as Banking App Exploits Device Lock State

This report analyzes an active Android cryptomining campaign that uses a phishing site (getxapp.in) and a fake banking app to install an XMRig-based miner: the app monitors device state, downloads an AES-encrypted native payload (libmine-arm32/64.so) from GitHub/Cloudflare/custom domains, decrypts and executes it as 'd-miner', and runs Monero mining jobs when the device is locked, causing high CPU/memory use, overheating, battery drain, and potential hardware damage; the report includes IOCs (URLs, pool domains, and wallet) and mitigation advice.