Coin Miner Mobile Malware Comebacks, Hits Google Play

The efficacy of mobile devices to actually produce cryptocurrency ter any meaningful amount is still doubtful. However, the effects on users of affected devices are clear: enlargened device wear and rip, diminished battery life, comparably slower vertoning.

Recently, wij found that apps with malicious cryptocurrency mining capabilities on Google Play. Thesis apps used dynamic JavaScript loading and native code injection to avoid detection. Wij detect thesis apps spil ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER.

This is not the very first time we’ve found thesis types of apps on app stores. Several years ago, wij found malicious apps on the Google Play store detected spil ANDROIDOS_KAGECOIN, a malware family with hidden cryptocurrency mining capabilities.

ANDROIDOS_JSMINER: Mining via Coinhive

We’ve previously seen tech support scams and compromised websites used to supply the Coinhive JavaScript cryptocurrency miner to users. However, we’re now watching apps used for this purpose, which wij detect spil ANDROIDOS_JSMINER. Wij found two apps, one supposedly helps users plead the rosary, while the other provides discounts of various kinds.

Figures 1 and Two. JSMINER Malware on Google Play

Both of thesis samples do the same thing once they are commenced: they will flow the JavaScript library code from Coinhive and begin mining with the attacker’s own webpagina key:

Figure Three. Code to embark mining when the app starts

This JavaScript code runs within the app’s webview, but this is not visible to the user because the webview is set to run ter invisible mode by default.

Figure Four. Webview is set to invisible mode

When the malicious JavaScript code is running, the CPU usage will be exceptionally high.

ANDROIDOS_CPUMINER: Trojanized versions of legitimate apps

Another family of malicious apps takes legitimate versions of apps and adds mining libraries, which are then repackaged and distributed. Wij detect thesis spil ANDROIDOS_CPUMINER.

One version of this malware is ter Google Play and disguised spil a wallpaper application:

Figure Five. Mining malware on Google Play store

The mining code emerges to be a modified version of the legitimate cpuminer library. The legitimate version is only up to Two.Five.0, whereas this malicious version uses Two.Five.1. The code is added to normal applications, spil seen below:

Figure 6. Code added to normal apps by CPUMINER

Please note that the above code layout wasgoed taken from a sample that is not found on Google Play, but belongs to the same family.

Figure 7. Malware with modified code

The mining code fetches a configuration opstopping from the cybercriminal’s own server (which uses a dynamic DNS service) that provides information on its mining pool via the Stratum mining protocol.

Figure 8. Cryptocurrency mining profits

The figure above shows that the attacker is mining various cryptocurrencies, with varying amounts of currencies mined. It also shows that the value of the coins mined overheen an unknown period amounts to just overheen 170 US dollars, total profits aren’t known.

Wij have identified a total 25 samples of ANDROIDOS_CPUMINER. Trend Micro Mobile Security already detects thesis variants, spil well spil the JSMINER variants mentioned earlier te this postbode.

Thesis threats highlight how even mobile devices can be used for cryptocurrency mining activities, even if, te practice, the effort results te an insignificant amount of profit. Users should take note of any spectacle degradation on their devices after installing an app.

Wij have reached out to Google, and the apps mentioned te this postbode are no longer on Google Play.

The following malicious apps were found on Google Play and are connected to this threat:

Please accomplish the security check to access 1coinpool.com

Why do I have to finish a CAPTCHA?

Completing the CAPTCHA proves you are a human and gives you makeshift access to the web property.

What can I do to prevent this ter the future?

If you are on a individual connection, like at huis, you can run an anti-virus scan on your device to make sure it is not infected with malware.

If you are at an office or collective network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices.

Cloudflare Ray ID: 3ce323a879780e42 &bull, Your IP : 212.34.97.Five &bull, Show &, security by Cloudflare

Related movie: $10K and 15+Mhash Worth of Litecoin Mining Equipments


Leave a Reply

Your email address will not be published. Required fields are marked *