Malware Hijacks Android Mobile Devices to Mine Cryptocurrency

Several bits of malware targeting Android mobile devices hijack the smartphone or tablet’s resources to mine digital currency such as Litecoin or Dogecoin.

On its surface, the idea of turning a smartphone into a cryptocurrency mining machine sounds novel. But practical and profitable? Not so much.

That hasn’t stopped thieves from corrupting a number of popular Android applications for just that purpose, including two on the Google Play store called Songs and Prized; Songs has been downloaded a million times.

Several versions exist too of the CoinKrypt malware, said researchers at mobile security company Lookout. The malicious CoinKrypt apps, Lookout said, have been confined to forums in Spain and France that distribute pirated software.

CoinKrypt is an add-on to a legitimate app and hijacks an Android phone’s resources—which are limited for this purpose to begin with—in order to mine Litecoin, Dogecoin, and Casinocoin.

Desktop computers, for example, have much more resources that can be dedicated for this purpose than a mobile device, and yet are still insufficient to mine coins for profit.

People do mine coins, rather than buy them, using purpose-built software to do so. Essentially, people who mine are lending their machine’s processing power for the purpose, and in return are rewarded with a new coin.

Mining digital currency, however, does come with some gotchas, especially on a mobile device. Namely, mining can be a resource hog and will quickly drain battery life, overheat hardware causing damage, or can exhaust a user’s data plan by downloading a blockchain, or transaction history, which can be gigabytes in size.

Lookout experts said that CoinKrypt does not include a feature that is native to other mining software which controls the rate at which coins are mined in order to preserve the hardware from damage. This may also be why the attackers are staying away from mining Bitcoins, which despite being far more valuable, are much more difficult to mine.

“This leads us to believe this criminal is experimenting with malware that can take advantage of lower-hanging digital currency fruit that might yield more coins with less work,” said Marc Rogers, a researcher with Lookout. “With the price of a single Bitcoin at $650 and other newer currencies such as Litecoin approaching $20 for a single coin we are in the middle of a digital gold rush. CoinKrypt is the digital equivalent of a claim jumper.”

Rogers said it’s almost one million times easier to mine Litecoin than Bitcoin; 3.5 million times easier to mine Dogecoin.

“When we tested the feasibility of mining using a Nexus 4 by using Android mining software such as the application ‘AndLTC,’ we were only able to attain a rate of about 8Kh/s – or 8,000 hash calculations per second, the standard unit of measure for mining,” Rogers said. “Using a Litecoin calculator and the difficulty setting mentioned above we can see that this would net us 0.01 LTC after seven days non-stop mining. That’s almost 20 cents.”

Other samples, Rogers said, have been targeting newer digital coins in order to avoid these issues.

Researchers at G Data Software also found mining software embedded in a version of the TuneIn Radio Pro app on the Google Play store. The Trojan, dubbed MuchSad, mines Dogecoin in addition to serving streaming radio to the user.

“The malicious functionality is put on hold when the user of the smartphone or tablet is using it. When the malicious app is first launched, a service called ‘Google Service’ is initialized,” researchers at G Data said. “After five seconds, and thereafter every twenty minutes, this checks whether the user is actively using the device. If the device is free – not in use – the malicious app starts to ‘mine’ Dogecoins for the attacker.”

In three days, the attacker was able to mine nearly 1,900 Dogecoins, or about $6.

“The only clues that might quickly raise a user’s suspicions are the increased battery usage and the heat from the mobile phone, due to the constant high load at times when the user is not actively using the device. You can even see the battery consumption in the Android system logs,” G Data researchers said. “However, the ‘Google Service’ disguise will very probably come into play again here. Barely a single user will question such battery consumption, assuming it is a system process.”

Image courtesy BT Keychain

Suggested articles