At least 25 Android apps on the official Google Play store contain code that mines cryptocurrency in the background.
Despite the fact that cryptocurrency prices have dropped significantly over the past few months, malware authors remain optimistic about the idea of using victims' devices for mining.
SophosLabs recently discovered 25 applications on Google Play that present themselves as games, utilities and educational applications, but in fact, they turn the victim's mobile device into a mining rig. These applications have already been downloaded and installed more than 120,000 times.
It was discovered that most of the applications had Coinhive code embedded (a Monero miner implemented in JavaScript, which we talked about in the article A new round of gray mining - browser-based mining). Coinhive is specifically designed to run efficiently on CPUs rather than GPUs, making it an ideal candidate for stealth mining on mobile devices.
The miner code can be injected into any application using the built-in WebView browser with just a few lines of code. Monero was chosen as the mined currency because this cryptocurrency provides a sufficient level of anonymity and allows you to hide both the recipient’s address and the mined volume. These applications use the processor power very carefully to avoid frequent unmasking effects: overheating of the device, rapid battery drain and slowness of the device as a whole - a mistake made by the Loapi mobile virus last year.
11 of these 25 apps were designed to prepare for standardized tests administered in the United States, such as the ACT, GRE or SAT, and were published by the same developer, Gadgetium. All of these applications contained an HTML page with a Coinhive miner. To run the mainer, they first allowed Javascript to run and then loaded the page using WebView. While most Coinhive miners use scripts located on coinhive.com, two of the applications (co.lighton and com.mobeleader.spsapp) hosted the miner code on their own servers, presumably to camouflage themselves from antivirus systems and firewalls, many of which block Coinhive domains by default. One of the detected applications is de.uwepost..apaintboxforkids even used XMRig (an open-source CPU miner that supports mining several cryptocurrencies, including Monero).
Despite the fact that applications that mine cryptocurrencies have been and remain strictly prohibited on Google Play, many such miners continue to exist freely on the market. SophosLabs notified Google about these apps back in August. Even though some of them have been removed from Google Play, many of them are still available for download. All of them are defined by Sophos Mobile Security as Coinhive JavaScript cryptocoin miner and Android XMRig Miner.
According to Sophos News
You May Also Like
Hackers control more than 2.3 million BTC addresses
The malware discovered by Bleeping Computer controls more than two million Bitcoin addresses and is ready to steal your digital assets the first time you send coins.
21-year-old hacker stole more than a million dollars from businessmen
According to the New York Times, on November 20, Manhattan police arrested 21-year-old Nicholas Truglia, who hacked other people's mobile phones in order to appropriate the owners' cryptocurrency.
