Android Crypto Mining Attacks Go for Monero

Android Monero-mining malware surfaced last week, pretending to be a legitimate Google Play update app, according to research from Trend Micro. But AndroidsOS_HiddenMiner isn't the only Monero-mining malware to hit Android devices and it isn't likely to be the last, security experts noted.

Indeed. In early February, botnet ADB.Miner distributed Monero-mining malware that targeted Android devices, according to Qihoo 360 Netlab, which made the discovery. And late last year, Trojan.AndroidOS Loapi, among its many nefarious features, could also mine for Monero cryptocurrency on Android devices, reported Kaspersky Lab.

(Source: Tumisu via Pixabay)

In terms of cryptocurrencies, Monero is favored over others by the bad guys because they are able to mine and cash out the cryptocurrencies without being traced and they can even steal processing power from devices as small as a smartphone to do it, Tyler Moffitt, senior threat research Aanalyst at Webroot, told Security Now.

"Monero's blockchain ledger of transactions is private and untraceable. The Bitcoin blockchain and the blockchains of the majority of other cryptos are public, meaning you can view any and all transactions on its blockchain. Ultimately, this allows someone to trace the bitcoin to an exchange address where it was cashed out into fiat currency like US dollars," Moffitt explained.

He added that Monero, unlike Bitcoin, does not need expensive, high-powered ASIC chips for mining. This allows miners and cybercriminals to use consumer grade graphic processing units (GPUs) and central processing units (CPUs) to mine for Monero.

In the case of HiddenMiner, discovered by Trend Micro, the new Android malware would use the victim's CPU power on their device. Hidden Minder was found in third-party app stores and affecting users in China and India, but Trend Micro's researchers noted in the report it would not be surprising to see it spread beyond those two countries.

How crypto mining software dials your smartphone
There are two main ways in which attackers are loading crypto mining software onto mobile phones, Andrew Blaich, a senior security researcher at Lookout, told Security Now.

First, the user visits a website that has cryptomining code contained in its javascript, similar to what Coinhive has enabled, says Blaich.

"This method is one of the more common methods we’ve seen both on and off mobile, as this cryptomining code can be delivered through a website or through ads displayed on the website," Blaich said. "It is delivered through a small piece of JavaScript code that automatically runs in a browser that hasn’t disabled JavaScript."

Streaming video services offering "free" ways to stream movies, TV shows, and especially adult entertainment content on devices like smartphones are ripe for crypto mining attacks, Moffitt says. Attackers can mine for crypto as long as the user stays connected to that particular website that is streaming content or other forms of content.

Another common way attackers can mine for cryptocurrency on users' phones is when a user installs an app that contains or downloads a cryptomining code, Blaich noted.

"We are beginning to see more reports of mobile apps containing cryptomining code," Blaich said. "Moreover, this code can be embedded the same way as in the first method by using a webview or hidden webview to load the JavaScript code. The cryptomining code can also be a native app code that doesn’t require JavaScript to run, but which can also be hidden from the user."

Security experts note users can usually detect if crypto miners are running on their smartphones because the devices run hot as the mining software burns up CPU power and quickly drains the battery. Moffitt advises users to also close any open browser tabs that seem suspect or that feature only ads.

Malicious crypto miner growth rate on smartphones
Although security experts say no hard statistics exist at this time on the number of malicious crypto miner malware attacks on smartphones, they note the trend appears to be growing.

"We're continuing to see a number of security research come out in the past several months that identifies crypto mining malware on devices more than other types of malware," Blaich says. "In fact, the ability to inject cryptomining code into an app is much easier now than it was years ago, thanks to services that have simplified it like Coinhive. So, we're only going to see an increase in this type of activity as long as it proves profitable for the attackers."

Related posts:

— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance, and The Motley Fool.