Stay in touch

Enter your email and get the latest news and researches on cybersecurity, receive invitations to private security events and conferences.

Android apps infected with crypto-currency miners

Thursday, November 2, 2017 By

If your phone’s suddenly getting hot, you might have been compromised…


The trend for illicit cryptocurrency mining is certainly not a new one, but as the heavy-hitters of the crypto world, most notably Bitcoin, reach significant values (BTC was worth more than $6,500 today) the opportunity for criminal activity is widening.

Researchers have uncovered a host of Android apps on the official Google Play market that have been compromised with mining tools designed to use the victim’s processing power - and battery/electricity of course.

Android apps infected with crypto-currency miners

The first group of apps discovered used Coinhive’s js script to mine Monero, by loading the JavaScript library code from Coinhive and starting mining with the attacker’s own key. Coinhive itself has attracted much attention of late, having launched an ad-unit friendly and link shortening service that mined Monero via site visitor’s browsers and CPUs. While many sites used the code legitimately, several (including the Pirate Bay), drew criticism by not flagging the activity clearly to users. On top of that, Coinhive itself was hacked recently, with the attackers diverting hashpower to their own wallets.

Monero has long a popular choice for hackers, as it has multiple privacy features baked in, making it less traceable than Bitcoin, and can also still be mined with normal desktop CPU processors, unlike Bitcoin, which requires specialised Asic computers to make any significant revenue.

The second group of compromised apps uncovered by the Trend Micro researchers take a more traditional tack, reverse-engineering legitimate versions of apps and adding mining libraries, then repackaging and distributing the result.

“The mining code appears to be a modified version of the legitimate cpuminer library. The legitimate version is only up to 2.5.0, whereas this malicious version uses 2.5.1. The code is added to normal applications - we have identified a total 25 samples of ANDROIDOS_CPUMINER.…” said the researchers, who added that Google has already removed the offending apps from Google Play.

This technique is certainly aided by the fact that very few legitimate Google Play apps take steps to combat reverse-engineering. Researchers from High-Tech Bridge using Mobile X-Ray, a free tool to detect app vulnerabilities, found that less than five per cent of applications use anti-debugging mechanisms to impede reverse-engineering. The researchers also found that more than 78 per cent of applications have at least one high and two medium risk vulnerabilities - even before being repackaged with other unwanted programs or malware.

Recent data from Kaspersky Lab found that in the first nine months of 2017, cryptocurrency malware had infected more than 1.65 million endpoints, a rise of 608 per cent since 2013.

Ilia Kolochenko, CEO of web security company High-Tech Bridge comments: “This trend clearly highlights that cybercriminals have found a new vector to monetize massive breaches of personal machines and devices. In the past, user machines were compromised, backdoored and sold to send spam, host illicit content, infect other machines or to be used as proxies in new attacks. Today, cybercriminals have a more reliable way to make profit from botnets turning them into cryptocurrency mines. As cryptocurrencies provide pretty good anonymity by design, risks are minimal, while profits are high and guaranteed. Therefore, I think we should expect to see this trend growing pretty quickly in the near future.

If mining software can use the full processing power of the infected machines their hardware may fail much faster. But otherwise, I don’t think we can clearly distinguish any particular risks for businesses whose machines are used for cryptocurrency mining. I’d even say that legal risks would be much smaller compared to using compromised machines to hack new victims.

Just to put the app mining threat into perspective, a separate report this week raised another often-overlooked app security issue - the majority of employees are using consumer messaging apps for business purposes. In fact, nearly three in four employees are creating privacy, compliance and security risks by doing so, according to 451 Research. In spite of this volume, 62 per cent of companies have not made any policy changes in the past six months regarding employee messaging service usage, according to the report.


Mark Mayne Mark Mayne has covered the security industry for more than 10 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.

User Comments
Add Comment