Avast researchers detect covert malware affecting multiple apps
In November 2017, we detected a strain of malware known as JSMiner in Google Play. The Monero cryptomining capabilities were discovered inside the gaming application Cooee. At the time of discovery, we forecasted a rise in mobile mining malware as attackers shift their attention from PC to mobile. And this week, we identified two more cryptomining apps in Google Play: SP Browser and Mr. MineRusher with a combined subscriber base in the thousands.
Just like the campaign late last year, the mobile mining process begins once a user downloads the application and opens it. But it doesn’t require user action such as a click of a button to execute. Instead, an automatic connection is made with the website apptrackers.org where the CoinHive Java Script miner for the Monero cryptocurrency is hosted. Once the connection to the domain is made, the mining initiates. However, it does this surreptitiously in the background when the screen is switched off and the device is using data or connected to Wi-Fi. This tactic adds another layer of obscurity to an already imperceptible attack.
Below you can find the source code that displays the technique used by the attacker. The second screenshot shows how the malware uses apptrackers.org to mine Monero via the two applications.
The good news for users of these apps is that the impact is unlikely to raise any security or privacy concerns. And for the attackers, the reward for their efforts is small: mining via mobile devices is notoriously unprofitable. This is because cryptomining campaigns require large-scale computing power in order to generate enough coins for a profitable return on investment. Unlike PCs, mobile devices lack the CPU power for an attacker to make any substantial monetary gain.
However, it can cause frustration.
At Mobile World Congress Barcelona in February, we ran an experiment to show how a compromised IoT device can be hijacked by cybercriminals and used as a tool to mine Monero. As part of the demonstration, we invited attendees to mine the cryptocurrency via their mobile devices to expose first-hand the impact on performance and user experience. Those who took part witnessed rapid battery drain, inoperative websites and, in some cases, full-blown crashes.
The experiment was a reminder of the inconvenience of malicious cryptomining and how pervasive the threat has become. But its purpose was also to help the public visualize the devastation that a network of thousands of devices, known as a botnet, could cause - a motivation for today’s cybercriminals as they look to profit from the growing number of connected devices.
Luckily, there are ways to protect yourself. As cryptocurrencies enter the mainstream, attackers are looking for new ways to take advantage of the trend. The following steps will ensure that you don’t pay the price:
Unrelated to the CCleaner attack, Avast also found ShadowPad samples active in South Korea and Russia, logging a financial transaction
Close to 50,000 Minecraft accounts infected with malware designed to reformat hard-drives and more.