Android security: Cryptocurrency mining-malware hidden in VPNs, games, and streaming apps, dowloaded 100,000 times

Some of the malicious mining apps found in the Google Play store have been downloaded over 100,000 times.
Written by Danny Palmer, Senior Writer

Video: Android users fall victim to drive-by cryptocurrency miner

Cybercriminals keen to exploit the cryptocurrency boom are increasingly attempting to infect mobile devices with cryptocurrency-mining malware -- and they're even using the official Android app store to do so.

Researchers at Kaspersky Lab have uncovered multiple malicious cryptocurrency-mining applications being distributed via the Google Play store, with the miners posing as games, sports streaming apps, and VPNs. Some of these have been downloaded more than 100,000 times.

While the applications appear to provide legitimate functions, their real purpose is to secretly use the CPU power of the device to mine the cryptocurrency Monero.

Illicit cryptocurrency-mining has grown in popularity this year and, while mobile devices have far less power than a PC for illicit mining, there are billions of smartphones around the world and they're an easy target for attackers. That's especially the case given how easily users can install apps.

"Cybercriminals are banking on compensating for smartphones' poor performance and mobile miners' easy detection through the sheer number of handheld devices out there and their high infectibility," said Roman Unuchek, security researcher at Kaspersky Lab.

Download now: Comparison chart: VPN service providers

Researchers found the most common mining apps to be connected with soccer, with a Portuguese-language match-streaming app being one of the most commonly downloaded. The app fulfils its advertised function of allowing users to watch broadcast football matches, while also discreetly mining in the background.

A common tactic applied by the attackers is to hide a Coinhive JavaScript miner within the malicious apps. When the users launch a broadcast, the app opens an HTML file with an embedded JavaScript miner, which converts the streamer's CPU power into a tool for mining Monero.

Researchers say the soccer-streaming miner was distributed via Google Play and downloaded by over 100,000 thousand users, mostly based in Brazil.

Another popular means of distributing miners via seemingly legitimate apps is to embed it within applications used to provide VPN connections.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

Researchers found that a cryptocurrency mining app called Vilny.net has been downloaded over 50,000 times, mostly in Ukraine and Russia.

Those behind Vilny have tailored the app to monitor the battery charge and temperature of the device, allowing the attackers to control the CPU usage to avoid the high temperature associated with extensive battery use -- in order to ensure the user doesn't notice any suspicious activity and connect it with the app.

Other apps weren't as advanced, simply posing as games and other popular programs while secretly mining cryptocurrency. Some also duped the users twice, by also showing the users ads which don't go away until they're clicked -- providing the attackers with another source of revenue.

The majority of these simple cryptocurrency miners were distributed via third-party sites, although one called Zombie Fun was found in the Play Store.


A mining app in the Google Play Store, which has since been removed.

Image: Kaspersky Lab

It all points to how the threat actors behind malicious mining apps are upping their game in order to deceive people into acquiring cryptocurrency for them.

"Authors of malicious miners are expanding their resources and developing their tactics and approach to perform more effective cryptocurrency mining," said Unuchek.

"They are now using legitimate thematic applications with mining capacities to feed their greed. As such, they are able to capitalise on each user twice -- firstly via an ad display, and secondly via discreet cryptomining."

See also: How to build a successful career in cybersecurity (free PDF)

Kaspersky Lab informed Google of the malicious apps, which have now been removed from the Play Store. ZDNet has attempted to contact Google for comment, but hasn't received a response at the time of publication.

In order to ensure their smartphone doesn't become infected with a cryptocurrency miner, users should only install trusted apps and keep their device up to date in order to reduce the risk of an attack.

Nonetheless, the sheer number of mobile devices available for criminals to potentially target means they'll remain a popular outlet for cryptocurrency mining for the time being.

Indeed, miners have recently become as lucrative for criminals as ransomware is -- but with the added bonus of being much subtler and potentially providing attackers with income for a long period of time.

Recent and related coverage

Google to crack down on cryptojacking on Chrome
After seeing a rise in cryptojacking extensions, Google will delist all cryptocurrency mining extensions on Chrome Web Store.

Windows 10 warning: Beware staff planting cryptominers on work systems, says Microsoft
Microsoft now sees over 600,000 PCs exposed to coin-mining malware each month.

Cybercriminals spotted hiding cryptocurrency mining malware in forked projects on GitHub
Those behind the campaign are tailoring the Monero cryptojacking malware to use a limited amount of CPU power in order to evade infections being detected.


Editorial standards