Cryptocurrency miners have successfully sneaked in the Google Play store. Researchers have found apps with malicious capabilities directed towards cryptocurrency mining. The apps were found to use dynamic JavaScript loading in combination with native code injection to bypass detection by security vendors.
TrendMicro researchers have detected these apps as Androidos_JSMiner and Androidos_CPUminer.
These are not the first cases of cryptocurrency miners targeting mobile devices and app stores. A previous such finding is a piece of miner detected in 2014, designed to mine Dogecoins and Litecoins for Bitcoin payout. The malware was dubbed Androidos_Kagecoin.
Androidos_JSMiner: A Closer Look
There have been tech support scams and compromised websites deployed to deliver the Coinhive JavaScript cryptocurrency miner. This time around, researchers detected two apps, part of the Androidos_JSMiner malware family, used for the same purpose.
Two apps were discovered – one supposedly helps users pray the rosary, while the other provides various discounts, researchers explain.
Both apps function the same way. Once installed on a device, they load the JavaScript library from Coinhive to start mining with the hacker’s site key.
If you have this miner running on your device, you would notice that the CPU usage is extremely high.
Androidos_CPUMiner: A Closer Look
These apps exploit legitimate versions of apps by adding mining libraries to them. The legitimate apps are then repackaged and distributed to users.
Researchers were able to outline one version of this malware found in Google Play, disguised as a wallpaper application.
The mining code is most likely a modified version of the legitimate cpuminer library. The legitimate version is only up to 2.5.0, whereas this malicious version uses 2.5.1, researchers point out.
The mining code fetches a configuration file from the cybercriminal’s own server (which uses a dynamic DNS service) that provides information on its mining pool via the Stratum mining protocol.
The research team has identified 25 samples of Androidos_CPUMiner.
In conclusion, such malware samples showcase how mobile devices can also be exploited for cryptocurrency mining goals, despite the insufficient profit of mobile mining.
Also, Android users should pay close attention to installed apps, especially in case of degradation on their devices after installing an app.
The apps mentioned in this article are no longer available on Google Play but they may quickly be replaced with other apps. So be on the lookout!