Mining Malware Infects Mobile Market via Google Play Apps

Cryptocurrency mining malware for PC platforms has been around for a while, but now it has gone mobile.

AccessTimeIconMar 27, 2014 at 10:31 a.m. UTC
Updated Sep 3, 2021 at 11:10 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Cryptocurrency mining malware for PC platforms has been around for a while, but now it has gone mobile, specifically via the Android OS.

A team of security researchers from Trend Micro has managed to identify two apps that can use your Android device to mine litecoin and dogecoin.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • The apps in question are called Songs and Prized, and both are available from the Google Play Store. Songs has between one and five million downloads so far, while Prized has 10,000 to 50,000 downloads.

    This is not the first case of mining malware targeting new and unusual platforms. Linux recently got what was likely its first taste of mining malware with the Darlloz worm.

    The Android ecosystem is quite a bit bigger, but targeting it is rather pointless from a mining point of view because the hardware simply isn't up to the job.

    Malware to the moon

    The researchers identified the malware as ANDROIDOS_KAGECOIN.HBT, which has previously been found in repackaged copies of several popular apps, including Football Manager Handheld and TuneIn Radio.

    The apps were injected with CPU mining code from a legitimate Android mining app, based on cpuminer. This time around the malware was found on Google Play apps, rather than repackaged apps from third-party app stores.

    Google's hands-off approach to app vetting (or lack thereof) will probably be blamed for the mess, but in all fairness this would not be the first time a big tech firm was used to spread cryptocurrency malware.

    On New Year's Eve, Yahoo's European servers were piggybacked to spread mining malware to a large number of PCs, but the attack appears to have been limited and relatively unsuccessful.

    Once installed, this strain launched CPUminer and connected to a dynamic domain, where it was redirected to an anonymous dogecoin mining pool.

    Trend Micro said:

    "By February 17, his network of mobile miners has earned him thousands of dogecoins. After February 17, the cybercriminal changed mining pools. The malware is configured to download a file, which contains the information necessary to update the configuration of the miner. This configuration file was updated, and it now connects to the well-known WafflePool mining pool."

    The researchers now say they have identified exactly the same behaviour in apps downloaded from Google Play. At press time, both apps were still available on Google's app store.

    This time around, the miner has been configured to mine litecoins rather than dogecoins. However, the focus was initially on dogecoins and researchers believe that the cybercriminal behind the malware "accumulated a great deal" of dogecoins.

    Clever but pointless

    Although this attack has infected many thousands of devices, researchers seem baffled by the fact that someone chose to attempt it in the first place. Smartphones simply don't have enough processing power to mine cryptocurrencies effectively, and battery life is a further problem.

    Trend Micro points out:

    "Clever as the attack is, whoever carried it out may not have thought things through. Phones do not have sufficient performance to serve as effective miners. Users will also quickly notice the odd behavior of the miners – slow charging and excessively hot phones will all be seen, making the miner’s presence not particularly stealthy. Yes, they can gain money this way, but at a glacial pace."

    Trend Micro points out that there are plenty of telltale signs that point to an infection. CPUs in mobile devices spent much of their time idling, so it is relatively easy to notice that something is wrong.

    The battery drains quickly and recharges slowly, but heat is an even bigger giveaway. As anyone who was ever hooked on mobile games knows, phones and tablets heat up quickly even after a few minutes of gameplay, as the System-on-Chip (SoC) processor kicks into high gear and starts operating at the highest possible clocks when faced with a lot of load.

    It should be relatively easy to figure out if any app is mining in the background. Users who happen to notice unusual behaviour on their devices, such as a hot phone and low battery life, can easily identify the app responsible (go to: Settings > Battery), and remove it.

    It goes without saying that the two apps mentioned above should be removed from your phone immediately, if you have them installed.

    The ARM-based SoCs used in the vast majority of Android devices today simply don't have the muscle to mine cryptocurrencies. They are designed to be efficient and operate within strict thermal and power envelopes, necessitated by the size of the device and, of course, the capacity of the on-board battery.

    Even the latest and most powerful ARM-based application processors used in high-end Android smartphones and tablets, such as the Snapdragon 800, Tegra 4 or Exynos 5, don't have a fraction of the computing power needed to mine digital currencies in any sensible amount of time.

    In other words, there probably aren't that many malware developers who are willing to waste time on Android mining. The fact that someone has tried it does not mean that others will follow suit, as the returns are simply too low.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.