Coinhive Monero Cryptocurrency Mining Malware Once Again Invades Google Play

Android

There is strength in numbers, and that is part of what is driving an increase in cryptocurrency mining malware. The idea is to infect as many mobile devices as possible, and tap into the combined computing power to crunch numbers for profit. Unfortunately, this seems to be a trend (on both mobile and PC)—security outfit Trend Micro says it found apps with malicious cryptocurrency mining capabilities on Google Play.

This is not the first time these kinds of apps have appeared in Google Play, and it probably will not be the last. What they have in common is that they use dynamic JavaScript loading and native code injection to avoid detection. Trend Micro is able to identify these types of apps, which it classifies as ANDROIDOS_JSMINER and ADROIDOS_CPUMINER. Several years ago, the security outfit discovered malicious apps of a similar nature, which it dubbed ANDROIDOS_KAGECOIN.

Malicious Apps
Source: Trend Micro

"We’ve previously seen tech support scams and compromised websites used to deliver the Coinhive JavaScript cryptocurrency miner to users. However, we’re now seeing apps used for this purpose, which we detect as ANDROIDOS_JSMINER. Of the two apps we found, one supposedly helps users pray the rosary, while the other provides discounts of various kinds," Trend Micro stated in a blog post.

Both malicious apps discovered by Trend Micro do the same thing when started, which is to load the JavaScript library code from Coinhive and start mining with the attacker's own site key. The JavaScript code runs out of sight to the user, within the app's webview. The only real indication that something foul is going on is reduced performance. CPU usage is cranked up, which bog down a mobile device, make it run hotter than usual, and negatively affect battery life.

Trend Micro also found another family of malicious apps that are repackaged versions of legitimate apps. The repackaged versions contain the cryptocurrency malware. These are the ones referred to as ANDROIDOS_CPUMINER, and they come in various forms—one example is a wallpaper application with images of different cars.

It remains to be seen just how lucrative all of this is. In one instance, Trend Micro found that an attacker was mining various cryptocurrencies over an unknown period of time, which tallied up to $170. However, it is not known what the actual profit on that figure is.

The security outfit found dozens of malicious samples, all of which Google has since pulled offline. There will likely be others, so be careful of what you download, and look for signs that an app is misbehaving.