Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security //

Android

4/3/2018
08:05 AM
Dawn Kawamoto
Dawn Kawamoto
Dawn Kawamoto
50%
50%

Android Crypto Mining Attacks Go for Monero

Attackers hijacking Android devices to mine for cryptocurrencies are likely looking to score Monero, rather than other virtual currencies such as Bitcoin.

Android Monero-mining malware surfaced last week, pretending to be a legitimate Google Play update app, according to research from Trend Micro. But AndroidsOS_HiddenMiner isn't the only Monero-mining malware to hit Android devices and it isn't likely to be the last, security experts noted.

Indeed. In early February, botnet ADB.Miner distributed Monero-mining malware that targeted Android devices, according to Qihoo 360 Netlab, which made the discovery. And late last year, Trojan.AndroidOS Loapi, among its many nefarious features, could also mine for Monero cryptocurrency on Android devices, reported Kaspersky Lab.

In terms of cryptocurrencies, Monero is favored over others by the bad guys because they are able to mine and cash out the cryptocurrencies without being traced and they can even steal processing power from devices as small as a smartphone to do it, Tyler Moffitt, senior threat research Aanalyst at Webroot, told Security Now.

"Monero's blockchain ledger of transactions is private and untraceable. The Bitcoin blockchain and the blockchains of the majority of other cryptos are public, meaning you can view any and all transactions on its blockchain. Ultimately, this allows someone to trace the bitcoin to an exchange address where it was cashed out into fiat currency like US dollars," Moffitt explained.

He added that Monero, unlike Bitcoin, does not need expensive, high-powered ASIC chips for mining. This allows miners and cybercriminals to use consumer grade graphic processing units (GPUs) and central processing units (CPUs) to mine for Monero.

In the case of HiddenMiner, discovered by Trend Micro, the new Android malware would use the victim's CPU power on their device. Hidden Minder was found in third-party app stores and affecting users in China and India, but Trend Micro's researchers noted in the report it would not be surprising to see it spread beyond those two countries.

How crypto mining software dials your smartphone
There are two main ways in which attackers are loading crypto mining software onto mobile phones, Andrew Blaich, a senior security researcher at Lookout, told Security Now.

First, the user visits a website that has cryptomining code contained in its javascript, similar to what Coinhive has enabled, says Blaich.

"This method is one of the more common methods we’ve seen both on and off mobile, as this cryptomining code can be delivered through a website or through ads displayed on the website," Blaich said. "It is delivered through a small piece of JavaScript code that automatically runs in a browser that hasn’t disabled JavaScript."

Streaming video services offering "free" ways to stream movies, TV shows, and especially adult entertainment content on devices like smartphones are ripe for crypto mining attacks, Moffitt says. Attackers can mine for crypto as long as the user stays connected to that particular website that is streaming content or other forms of content.

Another common way attackers can mine for cryptocurrency on users' phones is when a user installs an app that contains or downloads a cryptomining code, Blaich noted.

"We are beginning to see more reports of mobile apps containing cryptomining code," Blaich said. "Moreover, this code can be embedded the same way as in the first method by using a webview or hidden webview to load the JavaScript code. The cryptomining code can also be a native app code that doesn’t require JavaScript to run, but which can also be hidden from the user."

Security experts note users can usually detect if crypto miners are running on their smartphones because the devices run hot as the mining software burns up CPU power and quickly drains the battery. Moffitt advises users to also close any open browser tabs that seem suspect or that feature only ads.

Malicious crypto miner growth rate on smartphones
Although security experts say no hard statistics exist at this time on the number of malicious crypto miner malware attacks on smartphones, they note the trend appears to be growing.

"We're continuing to see a number of security research come out in the past several months that identifies crypto mining malware on devices more than other types of malware," Blaich says. "In fact, the ability to inject cryptomining code into an app is much easier now than it was years ago, thanks to services that have simplified it like Coinhive. So, we're only going to see an increase in this type of activity as long as it proves profitable for the attackers."

Related posts:

— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance, and The Motley Fool.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.