Mobile
3/27/2014
02:10 PM
50%
50%

Android Apps Hide Crypto-Currency Mining Malware

Apps downloaded by millions from Google Play and Spanish software forums include hidden altcoin-mining software. But criminals aren't getting rich quickly.

Security researchers this week warned that malware designed to mine crypto-currencies has been hidden in apps distributed via Google Play as well as in online forums.

Malware known as KageCoin has been hidden inside two apps distributed through Google Play -- Songs and Prized -- which have collectively been downloaded more than a million times by Android users, Trend Micro mobile threat analyst Veo Zhang said Tuesday in a blog post. While the security firm informed Google about the apps, as of Thursday morning they were still available for download via Google Play.

The KageCoin malware was originally discovered in the wild -- not being distributed via Google Play -- in versions of some popular apps, including Football Manager Handheld and TuneIn Radio, that had been repacked to include code from cpuminer, which is a multi-threaded, CPU miner that runs on Android.

That previous version of KageCoin apparently earned its creators "thousands of Dogecoins," Zhang said. But even with a botnet composed of thousands of infected smartphones, the criminals behind this enterprise aren't getting rich quickly: 1,000 of the Dogecoins crypto-currency are worth only 60 cents. "Yes, they can gain money this way, but at a glacial pace," he said.

Those economics might help explain why the version of KageCoin hidden in the Google Play apps has been updated to work with the WafflePool mining pool, which is designed to mine a variety of "altcoins" -- referring to any crypto-currency that isn't Bitcoin. In exchange for every altcoin they mine, however, they receive a payment, in bitcoins.

As far as malware goes, KageCoin isn't the worst parasite on the books, given that it's somewhat resource-savvy. "The mining only occurs when the device is charging, [so] the increased energy usage won't be noticed as much," Zhang said.

But the same can't be said for a malware family known as CoinKrypt, which has been distributed via online forums based in Spain -- although most of the infections appear to be based in France. Notably, one sign of infection by CoinKrypt is that it consumes a vast amount of resources. "[At] a minimum, users affected by this malware will find their phones getting warm and their battery-life massively shortened," said Marc Rogers, principal security researcher at Lookout, in a blog post. Users' mobile phone accounts, of course, may also get drained. "CoinKrypt might suck up your data plan by periodically downloading what is known as a block chain, or a copy of the currency transaction history, which can be several gigabytes in size."

image (derived) courtesy of Flickr user .RGB
image (derived) courtesy of Flickr user .RGB

From a programming perspective, as with KageCoin, this malware is far from sophisticated. In this case, however, "lack of complexity is part of what makes it dangerous," Rogers said. Unlike purpose-built crypto-currency-mining software, the malware includes no throttle to protect the software from overtaxing processors or to manage battery life, and it will continue running until the device loses power, as well as "potentially damage hardware by causing it to overheat and even burn out."

CoinKrypt, like KageCoin, doesn't mine for bitcoins, which are worth about $525 each. Instead, it tries to mine Casinocoin, Dogecoin, and Litecoin. (As of Thursday, Litecoin is worth less than $15.)

Why don't smartphone malware authors try to mine bitcoins directly? The answer has to do with the complex calculations that are required to mine crypto-currencies.

"To control the rate at which new digital coins are minted, the software that runs the currency sets a difficulty rate which governs just how much processing power you need to expend in order to solve the blockchain and get new coins," Rogers said. "The difficulty for Bitcoin is so tough right now that a recent mining experiment using 600 quadcore servers was only able to generate 0.4 bitcoins."

That referred to an experiment conducted by iDrive, which explored whether its idle quad-core servers might provide a secondary income stream by mining bitcoins. But the findings weren't good. "It's a waste of time, so any other company thinking about mining with their infrastructure, learn from us," iDrive's Matthew Harvey told Data Center Knowledge. "Don't do it. You need custom machines to effectively mine bitcoins and generate a real ROI."

But might a botnet composed of Android smartphones and tablets successfully mine altcoins? According to Lookout, based on current difficulty rates, it's 1 million times easier to mine Litecoin than Bitcoin, and more than 3.5 million times easier to mine Dogecoin than Bitcoin.

Based on the company's tests, however, today's smartphones simply aren't powerful enough to mine altcoins, either. Notably, running AndLTC mining software on a Nexus 4, researchers found that they could achieve about 8,000 hash calculations per second. But based on the difficulty level set for Litecoin (LTC), that capability "would net us 0.01 LTC after seven days non-stop mining," Rogers said. At today's exchange rates, that haul wouldn't even be worth 20 cents.

IT is turbocharging BYOD, but mobile security practices lag behind the growing risk. Also in the Mobile Security issue of InformationWeek: These seven factors are shaping the future of identity as we transition to a digital world. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
3/30/2014 | 5:01:41 AM
mobile malware in the rise
Principal security firms agree on the fact that cybercrime, but also state sponsored actors, are targeting even more mobile platforms. 

Crypto currency mobile malware is the last family of malicious code that we are observing in the wild, but it's a just the beginning. Bad actors can benefit of large diffusion of mobile and of low level of awareness on cyber threats.

Mobile users are unaware of threats and have wrong habits that expose them to serious risks. On the other end the majority of app is not designed with security by design and the results are evident.

It's time to change the mentality otherwise mobile will be soon the paradise for hackers and criminals. 

Excellent post!
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.