Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security //

Android

// // //
4/3/2018
08:05 AM
Dawn Kawamoto
Dawn Kawamoto
Dawn Kawamoto

Android Crypto Mining Attacks Go for Monero

Attackers hijacking Android devices to mine for cryptocurrencies are likely looking to score Monero, rather than other virtual currencies such as Bitcoin.

Android Monero-mining malware surfaced last week, pretending to be a legitimate Google Play update app, according to research from Trend Micro. But AndroidsOS_HiddenMiner isn't the only Monero-mining malware to hit Android devices and it isn't likely to be the last, security experts noted.

Indeed. In early February, botnet ADB.Miner distributed Monero-mining malware that targeted Android devices, according to Qihoo 360 Netlab, which made the discovery. And late last year, Trojan.AndroidOS Loapi, among its many nefarious features, could also mine for Monero cryptocurrency on Android devices, reported Kaspersky Lab.

(Source: Tumisu via Pixabay)

In terms of cryptocurrencies, Monero is favored over others by the bad guys because they are able to mine and cash out the cryptocurrencies without being traced and they can even steal processing power from devices as small as a smartphone to do it, Tyler Moffitt, senior threat research Aanalyst at Webroot, told Security Now.

"Monero's blockchain ledger of transactions is private and untraceable. The Bitcoin blockchain and the blockchains of the majority of other cryptos are public, meaning you can view any and all transactions on its blockchain. Ultimately, this allows someone to trace the bitcoin to an exchange address where it was cashed out into fiat currency like US dollars," Moffitt explained.

He added that Monero, unlike Bitcoin, does not need expensive, high-powered ASIC chips for mining. This allows miners and cybercriminals to use consumer grade graphic processing units (GPUs) and central processing units (CPUs) to mine for Monero.

In the case of HiddenMiner, discovered by Trend Micro, the new Android malware would use the victim's CPU power on their device. Hidden Minder was found in third-party app stores and affecting users in China and India, but Trend Micro's researchers noted in the report it would not be surprising to see it spread beyond those two countries.

How crypto mining software dials your smartphone
There are two main ways in which attackers are loading crypto mining software onto mobile phones, Andrew Blaich, a senior security researcher at Lookout, told Security Now.

First, the user visits a website that has cryptomining code contained in its javascript, similar to what Coinhive has enabled, says Blaich.

"This method is one of the more common methods we’ve seen both on and off mobile, as this cryptomining code can be delivered through a website or through ads displayed on the website," Blaich said. "It is delivered through a small piece of JavaScript code that automatically runs in a browser that hasn’t disabled JavaScript."

Streaming video services offering "free" ways to stream movies, TV shows, and especially adult entertainment content on devices like smartphones are ripe for crypto mining attacks, Moffitt says. Attackers can mine for crypto as long as the user stays connected to that particular website that is streaming content or other forms of content.

Another common way attackers can mine for cryptocurrency on users' phones is when a user installs an app that contains or downloads a cryptomining code, Blaich noted.

"We are beginning to see more reports of mobile apps containing cryptomining code," Blaich said. "Moreover, this code can be embedded the same way as in the first method by using a webview or hidden webview to load the JavaScript code. The cryptomining code can also be a native app code that doesn’t require JavaScript to run, but which can also be hidden from the user."

Security experts note users can usually detect if crypto miners are running on their smartphones because the devices run hot as the mining software burns up CPU power and quickly drains the battery. Moffitt advises users to also close any open browser tabs that seem suspect or that feature only ads.

Malicious crypto miner growth rate on smartphones
Although security experts say no hard statistics exist at this time on the number of malicious crypto miner malware attacks on smartphones, they note the trend appears to be growing.

"We're continuing to see a number of security research come out in the past several months that identifies crypto mining malware on devices more than other types of malware," Blaich says. "In fact, the ability to inject cryptomining code into an app is much easier now than it was years ago, thanks to services that have simplified it like Coinhive. So, we're only going to see an increase in this type of activity as long as it proves profitable for the attackers."

Related posts:

— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance, and The Motley Fool.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-15023
PUBLISHED: 2023-01-31
A vulnerability, which was classified as problematic, was found in SiteFusion Application Server up to 6.6.6. This affects an unknown part of the file getextension.php of the component Extension Handler. The manipulation leads to path traversal. Upgrading to version 6.6.7 is able to address this iss...
CVE-2022-45172
PUBLISHED: 2023-01-31
An issue was discovered in LIVEBOX Collaboration vDesk before v018. Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is affected by ...
CVE-2022-47697
PUBLISHED: 2023-01-31
COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 and before is vulnerable to Account takeover. Anyone can reset the password of the admin accounts.
CVE-2022-47698
PUBLISHED: 2023-01-31
COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS) via the URL filtering feature in the router.
CVE-2022-47699
PUBLISHED: 2023-01-31
COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Incorrect Access Control.