Mining Malware Infects Mobile Market via Google Play Apps

shutterstock_85800619
27 March 2014

Cryptocurrency mining malware for PC platforms has been around for a while, but now it has gone mobile, specifically via the Android OS.

A team of security researchers from Trend Micro has managed to identify two apps that can use your Android device to mine litecoin and dogecoin.

The apps in question are called Songs and Prized, and both are available from the Google Play Store. Songs has between one and five million downloads so far, while Prized has 10,000 to 50,000 downloads.

This is not the first case of mining malware targeting new and unusual platforms. Linux recently got what was likely its first taste of mining malware with the Darlloz worm.

The Android ecosystem is quite a bit bigger, but targeting it is rather pointless from a mining point of view because the hardware simply isn’t up to the job.

Malware to the moon

The researchers identified the malware as ANDROIDOS_KAGECOIN.HBT, which has previously been found in repackaged copies of several popular apps, including Football Manager Handheld and TuneIn Radio.

The apps were injected with CPU mining code from a legitimate Android mining app, based on cpuminer. This time around the malware was found on Google Play apps, rather than repackaged apps from third-party app stores.

Google’s hands-off approach to app vetting (or lack thereof) will probably be blamed for the mess, but in all fairness this would not be the first time a big tech firm was used to spread cryptocurrency malware.

On New Year’s Eve, Yahoo’s European servers were piggybacked to spread mining malware to a large number of PCs, but the attack appears to have been limited and relatively unsuccessful.

Once installed, this strain launched CPUminer and connected to a dynamic domain, where it was redirected to an anonymous dogecoin mining pool.

Trend Micro said:

“By February 17, his network of mobile miners has earned him thousands of dogecoins. After February 17, the cybercriminal changed mining pools. The malware is configured to download a file, which contains the information necessary to update the configuration of the miner. This configuration file was updated, and it now connects to the well-known WafflePool mining pool.”

The researchers now say they have identified exactly the same behaviour in apps downloaded from Google Play. At press time, both apps were still available on Google’s app store.

This time around, the miner has been configured to mine litecoins rather than dogecoins. However, the focus was initially on dogecoins and researchers believe that the cybercriminal behind the malware “accumulated a great deal” of dogecoins.

Clever but pointless

Although this attack has infected many thousands of devices, researchers seem baffled by the fact that someone chose to attempt it in the first place. Smartphones simply don’t have enough processing power to mine cryptocurrencies effectively, and battery life is a further problem.

Trend Micro points out:

“Clever as the attack is, whoever carried it out may not have thought things through. Phones do not have sufficient performance to serve as effective miners. Users will also quickly notice the odd behavior of the miners – slow charging and excessively hot phones will all be seen, making the miner’s presence not particularly stealthy. Yes, they can gain money this way, but at a glacial pace.”

Trend Micro points out that there are plenty of telltale signs that point to an infection. CPUs in mobile devices spent much of their time idling, so it is relatively easy to notice that something is wrong.

The battery drains quickly and recharges slowly, but heat is an even bigger giveaway. As anyone who was ever hooked on mobile games knows, phones and tablets heat up quickly even after a few minutes of gameplay, as the System-on-Chip (SoC) processor kicks into high gear and starts operating at the highest possible clocks when faced with a lot of load.

It should be relatively easy to figure out if any app is mining in the background. Users who happen to notice unusual behaviour on their devices, such as a hot phone and low battery life, can easily identify the app responsible (go to: Settings > Battery), and remove it.

It goes without saying that the two apps mentioned above should be removed from your phone immediately, if you have them installed.

The ARM-based SoCs used in the vast majority of Android devices today simply don’t have the muscle to mine cryptocurrencies. They are designed to be efficient and operate within strict thermal and power envelopes, necessitated by the size of the device and, of course, the capacity of the on-board battery.

Even the latest and most powerful ARM-based application processors used in high-end Android smartphones and tablets, such as the Snapdragon 800, Tegra 4 or Exynos 5, don’t have a fraction of the computing power needed to mine digital currencies in any sensible amount of time.

In other words, there probably aren’t that many malware developers who are willing to waste time on Android mining. The fact that someone has tried it does not mean that others will follow suit, as the returns are simply too low.