​Android security: This malware will mine cryptocurrency until your smartphone fails

Monero-mining Android malware will exhaust your phone in its quest for cash.
Written by Steve Ranger, Global News Director

Video: Turn your Android smartphone into a bunker with 10 simple steps

A new strain of Android malware will continuously use an infected device's CPU to mine the Monero cryptocurrency until the device is exhausted or even breaks down.

Security company Trend Micro has named the malware HiddenMiner because of the techniques it uses to protect itself from discovery and removal.

Like most cryptocurrency-mining software, HiddenMiner uses the device's CPU power to mine Monero. But Trend Micro said that because there is no switch, controller, or optimizer in HiddenMiner's code it will continuously mine Monero until the device's resources are exhausted.

"Given HiddenMiner's nature, it could cause the affected device to overheat and potentially fail," the company said.

If the researchers' concerns are correct, this is not the first cryptocurrency-mining malware to put your smartphone at risk: last year the Loapi Android malware worked a phone so hard that its battery swelled up and burst open the device's back cover, wrecking the handset within 48 hours.

See also: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness

Trend Micro said the two pieces of malware share similarities, noting that Loapi's technique of locking the screen after revoking device administration permissions is analogous to HiddenMiner's.

Researchers at the company identified the Monero mining pools and wallets connected to the malware, and spotted that one of its operators withdrew 26 XMR -- around $5,360 -- from one of the wallets. This, they said, indicates a "rather active" campaign of using infected devices to mine cryptocurrency.

HiddenMiner poses as a legitimate Google Play update app, and forces users to activate it as a device administrator. It will persistently pop up until victims click the Activate button; once granted permission, HiddenMiner will start mining Monero in the background.

It also attempts to hide itself on infected devices, for example by emptying the app label and using a transparent icon after installation. Once activated as device administrator, it will hide the app from the app launcher. The malware will hide itself and automatically run with device administrator permission until the next device boot. HiddenMiner also has anti-emulator capabilities to bypass detection and automated analysis.

It's also hard to get rid of: users can't uninstall an active system admin package until device administrator privileges are removed first. But HiddenMiner locks the device's screen when a user wants to deactivate its device administrator privileges, taking advantage of a bug found in Android operating systems before Android 7.0 Nougat.

Trend Micro said that HiddenMiner is found in third-party app marketplaces and is affecting users in India and China, but it won't be a surprise if it spreads beyond these countries.

The emergence of this malware should reinforce the need for mobile security hygiene, said Trend Micro: download only from official app marketplaces; regularly update the device's OS, and be careful about the permissions you grant to applications.

Related stories

Android security: Coin miners show up in apps and sites to wear out your CPU
Expect to see more miners silently chewing up CPU resources through your browser.

Windows security: Cryptocurrency miner malware is enslaving PCs with EternalBlue
Stealthy and persistent cryptocurrency-mining malware is hitting Windows machines.

Windows: This sneaky cryptominer hides behind taskbar even after you exit browser
Closing your browser won't stop this JavaScript cryptocurrency miner.


Editorial standards