Android malware: Millions fall victim to drive-by cryptocurrency miner

Researchers say that at least 60 million visits have been forcibly made to malicious Monero sites in what represents the first large-scale cryptocurrency campaign targeting mobile.
Written by Danny Palmer, Senior Writer

Smartphones have much power to mine cryptocurrency - but their lack of security makes them easy targets for attackers.

Image: iStock

Millions of Android users have unwittingly lent their device to a drive-by cryptocurrency mining campaign in what's believed to be the first large operation of this kind to specifically target mobile users.

Malicious apps and sites with malvertising are redirecting millions of users to websites set up for the purposes of mining the Monero cryptocurrency.

CNET: Cryptojacking: The hot new hacker trick for easy money

The five cryptocurrency mining websites receive a combined total of 800,000 visits a day, as part of a cybercrime campaign that has been active since November -- according to researchers at Malwarebytes.

For the attackers, the advantage of targeting mobile devices is that many users don't use any sort of web filtering or security applications, meaning they're left without software to warn them about suspicious activity.

There are also a very large numbers of mobile devices that could be roped into the scheme.

"No platform is immune to cryptomining, and although mobile devices may indeed be less powerful than full fledged desktops, there is a greater number of them out there," Jérôme Segura, lead malware intelligence analyst at Malwarebytes told ZDNet.

Researchers say that while some of the forced redirection attacks may occur during regular browsing, it's likely infected apps also play a role, with ad modules within them directing users towards the cryptomining pages with various Coinhive site keys. They say it's likely these infected apps are free downloads from untrusted third-party marketplaces.

The very nature of malicious cryptocurrency mining means that it goes on behind the scenes, going out of its way not to alert the user that their computer is being used, aside from slowing the system down, or spinning up system fans.

However, the group behind the cryptomining campaign takes a very different approach, telling visitors redirected to their websites that their devices are being used to mine cryptocurrency. The attackers claim the mining is being done to pay for server traffic.

"Your device is showing suspicious surfing behaviour. Please prove that you are human by solving the captcha. Until you verify yourself as human, your browser will mine the Cryptocurrency Monero for us in order to recover the server costs incurred by bot traffic," reads the warning.

See also: Executive's guide to implementing blockchain technology

The captcha code for every single user is exactly the same - w3FaSO5R - and until it's entered and the continue button is pressed, the phone or tablet will mine Monero at full speed, maxing out the device's processor - something that left unchecked can cause damage to the device.


The mobile cryptocurrency miner tells users what it's doing - and maxes out the device processor until the code is entered for it to stop.

Image: Malwarebytes

Analysis of traffic suggests the average time a visitor spends on this Monero mining page is around four minutes, with the page initially loaded as a pop-under so it can perform its initial burst of activity without the user immediately noticing.

Between November and January, two of the five sites had over 32 million visitors each.

The devices have only a fraction of the power of PCs, but Monero mining from smartphones can still bring money in for those behind the scheme. Researchers estimate that given the power of the processors and the small amount of time spent mining, the whole operation is only bringing in a few thousand dollars a month.

However, as demonstrated by the rise of bitcoin, it's possible for cryptocurrencies to vastly increase in value.

It's worth noting that the websites that redirect to the mining sites aren't necessarily malicious, since malvertising could have been placed on them without the hosts' knowledge.

The campaign is still active and has been successful in targeting millions of Android devices because large numbers of users still aren't aware their device can be attacked in the similar manner to a desktop computer.

But attacks like this cryptocurrency mining operation can be prevented in the same way as attacks against a PC are - by using appropriate software.

"Mobile users should use the same protection mechanisms as they would on their PC, that is to say ad-blockers, web protection and security applications," said Segura.

Largescale cryptocurrency campaigns can make their operators vast amounts of money -- one miner targeting Windows systems with the aid of the EternalBlue exploit is thought to have extracted $3.6m in cryptocurrency.


Editorial standards