Millions Of Android Smartphones Are Being Turned Into Cryptocurrency Mining Zombies

Everyone seems to be trying to strike it rich with cryptocurrency, so it's no surprise that "drive-by cryptomining" has become a thing. If you're not aware, drive-by cryptomining is when a site injects a device with JavaScript code for the purposes of mining cryptocurrency, usually Monero (Coinhive launched a service that is widely utilized for this purpose) and without the user's knowledge or consent. It's a growing problem that is already affecting millions of mobile devices., mostly Android.

Image Source: Flickr via Rob Bulmahn

"In a campaign we first observed in late January, but which appears to have started at least around November 2017, millions of mobile users (we believe Android devices are targeted) have been redirected to a specifically designed page performing in-browser cryptomining," Malwarebytes stated in a blog post.

What Malwarebytes discovered is that malicious apps and malvertising websites are redirecting millions of Android users to sites that are specifically designed to run Monero mining software. It's an effective campaign in part because many mobile users do not bother installing security applications that might prevent this from happening, and in many cases these devices do not have any sort of web filtering configured, either.

This new campaign works a little different than most. When visitors are redirected to their mining website, they claim the mining is being done to pay for server traffic, and instructs the user to enter a CAPTCHA code.

"Your device is showing suspicious surfing behavior. Please prove that you are human by solving the captcha. Until you verify yourself as human, your browser will mine the Cryptocurrency Monero for us in order to recover the server costs incurred by bot traffic," the warning states.

The CAPTCHA code for everyone is the same ("W3FaSO5R"), and until it's entered, the affected device mines Monero at 100 percent CPU utilization.

Android users are being sent to the site both through redirected browsing and from malicious apps. There are several domains that seem linked to each other in this scam, and out of the five evaluated, they're seeing 800,000 daily visits. Users who are redirected to the site, sometimes through a pop-under, stay on the mining page for four minutes on average.

"It is difficult to determine how much Monero currency this operation is currently yielding without knowing how many other domains (and therefore total traffic) are out there. Because of the low hash rate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month. However, as cryptocurrencies continue to gain value, this amount could easily be multiplied a few times over," Malwarebytes says.

As always, be careful of what apps you install and where you download them from. You might also consider running a security program on your mobile device.