Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security //

Android

4/3/2018
08:05 AM
Dawn Kawamoto
Dawn Kawamoto
Dawn Kawamoto
50%
50%

Android Crypto Mining Attacks Go for Monero

Attackers hijacking Android devices to mine for cryptocurrencies are likely looking to score Monero, rather than other virtual currencies such as Bitcoin.

Android Monero-mining malware surfaced last week, pretending to be a legitimate Google Play update app, according to research from Trend Micro. But AndroidsOS_HiddenMiner isn't the only Monero-mining malware to hit Android devices and it isn't likely to be the last, security experts noted.

Indeed. In early February, botnet ADB.Miner distributed Monero-mining malware that targeted Android devices, according to Qihoo 360 Netlab, which made the discovery. And late last year, Trojan.AndroidOS Loapi, among its many nefarious features, could also mine for Monero cryptocurrency on Android devices, reported Kaspersky Lab.

In terms of cryptocurrencies, Monero is favored over others by the bad guys because they are able to mine and cash out the cryptocurrencies without being traced and they can even steal processing power from devices as small as a smartphone to do it, Tyler Moffitt, senior threat research Aanalyst at Webroot, told Security Now.

"Monero's blockchain ledger of transactions is private and untraceable. The Bitcoin blockchain and the blockchains of the majority of other cryptos are public, meaning you can view any and all transactions on its blockchain. Ultimately, this allows someone to trace the bitcoin to an exchange address where it was cashed out into fiat currency like US dollars," Moffitt explained.

He added that Monero, unlike Bitcoin, does not need expensive, high-powered ASIC chips for mining. This allows miners and cybercriminals to use consumer grade graphic processing units (GPUs) and central processing units (CPUs) to mine for Monero.

In the case of HiddenMiner, discovered by Trend Micro, the new Android malware would use the victim's CPU power on their device. Hidden Minder was found in third-party app stores and affecting users in China and India, but Trend Micro's researchers noted in the report it would not be surprising to see it spread beyond those two countries.

How crypto mining software dials your smartphone
There are two main ways in which attackers are loading crypto mining software onto mobile phones, Andrew Blaich, a senior security researcher at Lookout, told Security Now.

First, the user visits a website that has cryptomining code contained in its javascript, similar to what Coinhive has enabled, says Blaich.

"This method is one of the more common methods we’ve seen both on and off mobile, as this cryptomining code can be delivered through a website or through ads displayed on the website," Blaich said. "It is delivered through a small piece of JavaScript code that automatically runs in a browser that hasn’t disabled JavaScript."

Streaming video services offering "free" ways to stream movies, TV shows, and especially adult entertainment content on devices like smartphones are ripe for crypto mining attacks, Moffitt says. Attackers can mine for crypto as long as the user stays connected to that particular website that is streaming content or other forms of content.

Another common way attackers can mine for cryptocurrency on users' phones is when a user installs an app that contains or downloads a cryptomining code, Blaich noted.

"We are beginning to see more reports of mobile apps containing cryptomining code," Blaich said. "Moreover, this code can be embedded the same way as in the first method by using a webview or hidden webview to load the JavaScript code. The cryptomining code can also be a native app code that doesn’t require JavaScript to run, but which can also be hidden from the user."

Security experts note users can usually detect if crypto miners are running on their smartphones because the devices run hot as the mining software burns up CPU power and quickly drains the battery. Moffitt advises users to also close any open browser tabs that seem suspect or that feature only ads.

Malicious crypto miner growth rate on smartphones
Although security experts say no hard statistics exist at this time on the number of malicious crypto miner malware attacks on smartphones, they note the trend appears to be growing.

"We're continuing to see a number of security research come out in the past several months that identifies crypto mining malware on devices more than other types of malware," Blaich says. "In fact, the ability to inject cryptomining code into an app is much easier now than it was years ago, thanks to services that have simplified it like Coinhive. So, we're only going to see an increase in this type of activity as long as it proves profitable for the attackers."

Related posts:

— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance, and The Motley Fool.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.