Following the large number of viruses that are being developed for Android and iOS devices we have received reports that a large number of Amazon Fire TV and Fire TV Stick devices are being targeted by cryptocurrency miners. The hackers have developed numerous forms of malicious strains that attempt to use the device’s available resources in order to generate income for the hacker operators.
Amazon Fire Miner Attacks Sighted
Security experts have reported that there is an ongoing attack campaign with miners target Amazon Fire devices — both the Fire TV and the Fire TV stick are the main targets. It appears that one of the main distribution strategies relies on unprotected Amazon web server (AWS) S3 buckets. The criminal controllers have been found to host various viruses on the sites.
There are several possible routes how the Amazon Fire miners can be distributed:
- The hackers can create counterfeit download pages that look like legitimate apps that can be downloaded to the mobile devices. They use familiar looking images and text elements from popular Internet services that attempt to fool the visitors that this is a legitimate site.
- Using various web scripts or other means the victims can be forwarded to the malicious instances.
- The hackers can oversee the creation of email SPAM messages that can link to the malicious strains.
The backbone of the malicious samples is the CoinHive miner code which is one of the most popular ones. It executes complex operations which result in the “mining” of the Monero (XMR) cryptocurrency which is one of the most popular alternatives to BitCoin. Monero is an anonymous and secure digital currency which doesn’t store public information about the parties during transactions. Once a set number of tasks have been completed and reported to the relevant servers the made income is automatically wired to the hacker operator’s digital wallet (an equivalent of their bank account).
The malicious application that seems to be the main payload is called Test under the package name of “com.google.time.timer”. When it is installed in disrupts the video playback feature by showing the Android logo with a “Test” message popping up on the screen.
The security analysis reveals that it has been specifically made for Amazon’s devices. One of the interesting characteristics about it is the fact that if the developer options are turned off the miner will not run.
Amazon Fire owners can protect themselves by turning off the developer options menu and the installation from unknown sources feature.