Cybercriminals keen to exploit the cryptocurrency boom are increasingly attempting to infect mobile devices with cryptocurrency-mining malware -- and they're even using the official Android app store to do so.
Researchers at Kaspersky Lab have uncovered multiple malicious cryptocurrency-mining applications being distributed via the Google Play store, with the miners posing as games, sports streaming apps, and VPNs. Some of these have been downloaded more than 100,000 times.
While the applications appear to provide legitimate functions, their real purpose is to secretly use the CPU power of the device to mine the cryptocurrency Monero.
Illicit cryptocurrency-mining has grown in popularity this year and, while mobile devices have far less power than a PC for illicit mining, there are billions of smartphones around the world and they're an easy target for attackers. That's especially the case given how easily users can install apps.
"Cybercriminals are banking on compensating for smartphones' poor performance and mobile miners' easy detection through the sheer number of handheld devices out there and their high infectibility," said Roman Unuchek, security researcher at Kaspersky Lab.
Researchers found the most common mining apps to be connected with soccer, with a Portuguese-language match-streaming app being one of the most commonly downloaded. The app fulfils its advertised function of allowing users to watch broadcast football matches, while also discreetly mining in the background.
Researchers say the soccer-streaming miner was distributed via Google Play and downloaded by over 100,000 thousand users, mostly based in Brazil.
Another popular means of distributing miners via seemingly legitimate apps is to embed it within applications used to provide VPN connections.
Researchers found that a cryptocurrency mining app called Vilny.net has been downloaded over 50,000 times, mostly in Ukraine and Russia.
Those behind Vilny have tailored the app to monitor the battery charge and temperature of the device, allowing the attackers to control the CPU usage to avoid the high temperature associated with extensive battery use -- in order to ensure the user doesn't notice any suspicious activity and connect it with the app.
Other apps weren't as advanced, simply posing as games and other popular programs while secretly mining cryptocurrency. Some also duped the users twice, by also showing the users ads which don't go away until they're clicked -- providing the attackers with another source of revenue.
The majority of these simple cryptocurrency miners were distributed via third-party sites, although one called Zombie Fun was found in the Play Store.
It all points to how the threat actors behind malicious mining apps are upping their game in order to deceive people into acquiring cryptocurrency for them.
"Authors of malicious miners are expanding their resources and developing their tactics and approach to perform more effective cryptocurrency mining," said Unuchek.
"They are now using legitimate thematic applications with mining capacities to feed their greed. As such, they are able to capitalise on each user twice -- firstly via an ad display, and secondly via discreet cryptomining."
Kaspersky Lab informed Google of the malicious apps, which have now been removed from the Play Store. ZDNet has attempted to contact Google for comment, but hasn't received a response at the time of publication.
In order to ensure their smartphone doesn't become infected with a cryptocurrency miner, users should only install trusted apps and keep their device up to date in order to reduce the risk of an attack.
Nonetheless, the sheer number of mobile devices available for criminals to potentially target means they'll remain a popular outlet for cryptocurrency mining for the time being.