Google yanks two battery-sucking Bitcoin mining Android apps from Play store

Cryptocurrency-mining malware on mobile devices might not be deliver great returns, but they will harm your device.
Written by Liam Tung, Contributing Writer

Researchers have found two popular apps in Google Play that surreptitiously mine several cryptocurrencies for their makers, potentially over-heating devices and shortening their lifespan.

It's not so surprising to hear of apps packing new malware for Android these days, especially when it comes to non-Google app stores, but it appears some of them are now sneaking onto Google's own Play store.

Mobile threat analyst Veo Zhang this week discovered two free Android apps on Google Play, called Songs and Prized, which display the same behaviour as a new family of coin-mining malware found on third-party app stores. The malware in question has been designed to turn Android devices into miners for Bitcoin, Litecoin and Dogecoin.

Songs, the more popular of the two apps, has been downloaded more than one million times, according to stats on Google Play. However, it appears to have been removed from the store today, after news of its coin-mining sideline broke. Prized also appears to have been removed.

Google declined to comment about the removed apps when asked by ZDNet.

Google however has removed apps in the past for violating Google Play policies and one clause that would be relevant to the hidden mining software is its "dangerous products" clause: "We don't allow content that harms, interferes with the operation of, or accesses in an unauthorized manner, networks, servers, or other infrastructure."

Also, while there's nothing wrong with mining software itself, it's expected that developers are upfront about its behaviour and that the developers gain the user's consent. 

One feature that distinguished it from other mobile malware was that mining only occurs when the device is charging, since mining will cause the battery to drain rapidly. Prized and Songs — which is still available on App Brain — also include permissions to prevent the phone from going into sleep mode.

The mining code is based on a well-known piece of legitimate mining software cpuminer.

However, as noted by Zhang, whoever made the coin-mining malware probably hadn't thought through their plan very well.

"Phones do not have sufficient performance to serve as effective miners," he noted. "Users will also quickly notice the odd behavior of the miners — slow charging and excessively hot phones will all be seen, making the miner's presence not particularly stealthy. Yes, they can gain money this way, but at a glacial pace."

Nonetheless, the related family of mining malware that has appeared on third-party app stores has had some success at mining Dogecoins, according to Zhang's analysis.

For third-party markets, the malware authors re-packed popular apps like Football Manager Handheld and TuneIn Radio and hid the malware in by modifying the Google Mobile Ads portion of the app. Trend Micro has labelled the threat Kagecoin.HBT.

"The miner is started as a background service once it detects that the affected device is connected to the internet. By default, it launches the CPU miner to connect to a dynamic domain, which then redirects to an anonymous Dogecoin mining pool," Zhang said.

"By February 17, his network of mobile miners has earned him thousands of Dogecoins. After February 17, the cybercriminal changed mining pools. The malware is configured to download a file, which contains the information necessary to update the configuration of the miner. This configuration file was updated, and it now connects to the well-known WafflePool mining pool. The Bitcoins mined have been paid out (ie, transferred to the cybercriminal's wallet) several times."

Unlike Bitcoin's high exchange rate, Dogecoin is currently worth $0.0005 on many markets.

Mobile security vendor Lookout has also discovered a family of mining malware it calls CoinKrypt, which is distributed mostly on Spanish pirated software forums. Most detections it's seen have been in France.

According to Lookout, one of the problems with being infected with the mining malware is that, unlike with normal mining software, the malware version doesn't contain controls for the rate at which coins are mined and will drive the hardware until the battery is exhausted.

As Lookout notes, mining malware is going after non-Bitcoin digital currencies due to the impossibly high difficulty rate Bitcoin is currently at.

"The difficulty for Bitcoin is so tough right now that a recent mining experiment using 600 quad-core servers was only able to generate 0.4 bit coins," Lookout notes.

And while it's one million times easier to mine Litecoin than Bitcoin, using a smartphone to do so isn't that effective.

"When we tested the feasibility of mining using a Nexus 4 by using Android mining software such as the application 'AndLTC', we were only able to attain a rate of about 8Kh/s — or 8,000 hash calculations per second, the standard unit of measure for mining. Using a Litecoin calculator and the difficulty setting mentioned above we can see that this would net us 0.01 LTC after seven days non-stop mining. That's almost 20 cents," Lookout said.

Read more on cryptocurrencies

Editorial standards