The TrendLabs Security Intelligence Blog has identified the Coin Miner mobile malware back in the Google Play store. The malware takes over a device and uses its resources to mine a selection of different cryptocurrencies. Users will often not realise what is going all. What they will see is poor battery life and degraded performance.
The apps are using several techniques to bypass security. The blog states: “These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER.”
What apps were used by Coin Miner?
This attack is a change to the way coin mining solutions take control of machines. As the report states: “We’ve previously seen tech support scams and compromised websites used to deliver the Coinhive JavaScript cryptocurrency miner to users.” This move to using apps is different and given the success of other app based malware, could be more effective. Those users who jailbreak their devices to install anything are particularly at risk here, especially with the ANDROIDOS_CPUMINER attack.
The first of the two mining apps, ANDROIDOS_JSMINER takes advantage of two apps:
- Recitiamo Santo Rosario Free: This app helps users to recite the Holy Rosary.
- SafetyNet Wireless App: This is aimed at people enrolled in government assistance programs in the US who would otherwise not be able to get online.
Once installed, the apps download the Coinhive JavaScript library and start mining cryptocurrencies. The apps run in a hidden browser window making it difficult for the user to know they are there. However, they do cause very high CPU utilisation. On most devices this will manifest itself as the device getting warm or even hot when held.
The second mining app, ANDROIDOS_CPUMINER turns any app into a trojan. Apps are modified and then repackaged. When a user downloads the app, often from an unofficial app store or from illegal software site, they will be quickly infected. TrendLabs discovered one such app was the Car Wallpaper HD: Mercedes, Ferrari, BMW and Audi.
TrendLabs says that it detected a total of 25 instances of ANDROIDOS_CPUMINER in addition to the ANDROIDOS_JSMINER infected apps.
What does this mean?
The explosion in cryptocurrencies and the need to mine them early to make a serious profit is driving these attacks. It is highly unlikely that we will see any let up in the number of attacks over the next year or even longer. Criminals are also getting smarter and looking for new ways to infect machines.
The big question here is what value is realistically being gained from using mobile devices? While they are getting more powerful the problems that need to be solved are also getting harder. This means that the return on investment for the hackers is questionable. Of course, it could be that once they realise this they will change their approach and use infected devices for other purposes.
In the blog post the authors state: “These threats highlight how even mobile devices can be used for cryptocurrency mining activities, even if, in practice, the effort results in an insignificant amount of profit. Users should take note of any performance degradation on their devices after installing an app.“
