At least 25 Android apps on the official Google Play store contain code that mines cryptocurrency in the background.
Despite the fact that cryptocurrency prices have dropped significantly over the past few months, malware authors remain optimistic about the idea of using victims' devices for mining.
SophosLabs recently discovered 25 applications on Google Play that present themselves as games, utilities and educational applications, but in fact, they turn the victim's mobile device into a mining rig. These applications have already been downloaded and installed more than 120,000 times.
It was discovered that most of the applications had Coinhive code embedded (a Monero miner implemented in JavaScript, which we talked about in the article A new round of gray mining - browser-based mining). Coinhive is specifically designed to run efficiently on CPUs rather than GPUs, making it an ideal candidate for stealth mining on mobile devices.
The miner code can be injected into any application using the built-in WebView browser with just a few lines of code. Monero was chosen as the mined currency because this cryptocurrency provides a sufficient level of anonymity and allows you to hide both the recipient’s address and the mined volume. These applications use the processor power very carefully to avoid frequent unmasking effects: overheating of the device, rapid battery drain and slowness of the device as a whole - a mistake made by the Loapi mobile virus last year.
11 of these 25 apps were designed to prepare for standardized tests administered in the United States, such as the ACT, GRE or SAT, and were published by the same developer, Gadgetium. All of these applications contained an HTML page with a Coinhive miner. To run the mainer, they first allowed Javascript to run and then loaded the page using WebView. While most Coinhive miners use scripts located on coinhive.com, two of the applications (co.lighton and com.mobeleader.spsapp) hosted the miner code on their own servers, presumably to camouflage themselves from antivirus systems and firewalls, many of which block Coinhive domains by default. One of the detected applications is de.uwepost..apaintboxforkids even used XMRig (an open-source CPU miner that supports mining several cryptocurrencies, including Monero).
Despite the fact that applications that mine cryptocurrencies have been and remain strictly prohibited on Google Play, many such miners continue to exist freely on the market. SophosLabs notified Google about these apps back in August. Even though some of them have been removed from Google Play, many of them are still available for download. All of them are defined by Sophos Mobile Security as Coinhive JavaScript cryptocoin miner and Android XMRig Miner.
According to Sophos News
You May Also Like
Researchers claim that 400,000+ MikroTik routers are infected
The MikroTik mining virus was first discovered in August in Brazil, but has since continued to spread throughout the world.
Amazon Fire TV media player may be infected with Android virus
Watching pirated movies or TV channels through the Amazon Fire TV Stick or Amazon Fire TV media player can infect your Android device with malware that allows for hidden mining.
