Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security //

Android

// // //
4/3/2018
08:05 AM
Dawn Kawamoto
Dawn Kawamoto
Dawn Kawamoto

Android Crypto Mining Attacks Go for Monero

Attackers hijacking Android devices to mine for cryptocurrencies are likely looking to score Monero, rather than other virtual currencies such as Bitcoin.

Android Monero-mining malware surfaced last week, pretending to be a legitimate Google Play update app, according to research from Trend Micro. But AndroidsOS_HiddenMiner isn't the only Monero-mining malware to hit Android devices and it isn't likely to be the last, security experts noted.

Indeed. In early February, botnet ADB.Miner distributed Monero-mining malware that targeted Android devices, according to Qihoo 360 Netlab, which made the discovery. And late last year, Trojan.AndroidOS Loapi, among its many nefarious features, could also mine for Monero cryptocurrency on Android devices, reported Kaspersky Lab.

(Source: Tumisu via Pixabay)

In terms of cryptocurrencies, Monero is favored over others by the bad guys because they are able to mine and cash out the cryptocurrencies without being traced and they can even steal processing power from devices as small as a smartphone to do it, Tyler Moffitt, senior threat research Aanalyst at Webroot, told Security Now.

"Monero's blockchain ledger of transactions is private and untraceable. The Bitcoin blockchain and the blockchains of the majority of other cryptos are public, meaning you can view any and all transactions on its blockchain. Ultimately, this allows someone to trace the bitcoin to an exchange address where it was cashed out into fiat currency like US dollars," Moffitt explained.

He added that Monero, unlike Bitcoin, does not need expensive, high-powered ASIC chips for mining. This allows miners and cybercriminals to use consumer grade graphic processing units (GPUs) and central processing units (CPUs) to mine for Monero.

In the case of HiddenMiner, discovered by Trend Micro, the new Android malware would use the victim's CPU power on their device. Hidden Minder was found in third-party app stores and affecting users in China and India, but Trend Micro's researchers noted in the report it would not be surprising to see it spread beyond those two countries.

How crypto mining software dials your smartphone
There are two main ways in which attackers are loading crypto mining software onto mobile phones, Andrew Blaich, a senior security researcher at Lookout, told Security Now.

First, the user visits a website that has cryptomining code contained in its javascript, similar to what Coinhive has enabled, says Blaich.

"This method is one of the more common methods we’ve seen both on and off mobile, as this cryptomining code can be delivered through a website or through ads displayed on the website," Blaich said. "It is delivered through a small piece of JavaScript code that automatically runs in a browser that hasn’t disabled JavaScript."

Streaming video services offering "free" ways to stream movies, TV shows, and especially adult entertainment content on devices like smartphones are ripe for crypto mining attacks, Moffitt says. Attackers can mine for crypto as long as the user stays connected to that particular website that is streaming content or other forms of content.

Another common way attackers can mine for cryptocurrency on users' phones is when a user installs an app that contains or downloads a cryptomining code, Blaich noted.

"We are beginning to see more reports of mobile apps containing cryptomining code," Blaich said. "Moreover, this code can be embedded the same way as in the first method by using a webview or hidden webview to load the JavaScript code. The cryptomining code can also be a native app code that doesn’t require JavaScript to run, but which can also be hidden from the user."

Security experts note users can usually detect if crypto miners are running on their smartphones because the devices run hot as the mining software burns up CPU power and quickly drains the battery. Moffitt advises users to also close any open browser tabs that seem suspect or that feature only ads.

Malicious crypto miner growth rate on smartphones
Although security experts say no hard statistics exist at this time on the number of malicious crypto miner malware attacks on smartphones, they note the trend appears to be growing.

"We're continuing to see a number of security research come out in the past several months that identifies crypto mining malware on devices more than other types of malware," Blaich says. "In fact, the ability to inject cryptomining code into an app is much easier now than it was years ago, thanks to services that have simplified it like Coinhive. So, we're only going to see an increase in this type of activity as long as it proves profitable for the attackers."

Related posts:

— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance, and The Motley Fool.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-37452
PUBLISHED: 2022-08-07
Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.
CVE-2022-26979
PUBLISHED: 2022-08-06
Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow a NULL pointer dereference when this.Span is used for oState of Collab.addStateModel, because this.Span.text can be NULL.
CVE-2022-27944
PUBLISHED: 2022-08-06
Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow an exportXFAData NULL pointer dereference.
CVE-2022-2688
PUBLISHED: 2022-08-06
A vulnerability was found in SourceCodester Expense Management System. It has been rated as critical. This issue affects the function fetch_report_credit of the file report.php of the component POST Parameter Handler. The manipulation of the argument from/to leads to sql injection. The attack may be...
CVE-2022-2689
PUBLISHED: 2022-08-06
A vulnerability classified as problematic has been found in SourceCodester Wedding Hall Booking System. Affected is an unknown function of the file /whbs/?page=contact_us of the component Contact Page. The manipulation of the argument Message leads to cross site scripting. It is possible to launch t...