Researchers at Kaspersky Lab have uncovered multiple android based malicious cryptocurrency-mining applications being distributed via the Google Play store, with the miners posing as games, sports streaming apps, and VPNs. Some of these have been downloaded more than 100,000 times.
While the applications appear to provide legitimate functions, their real purpose is to secretly use the CPU power of the device to mine the cryptocurrency Monero.
Illicit cryptocurrency-mining has grown in popularity this year and, while mobile devices have far less power than a PC for illicit mining, there are billions of smartphones around the world and they’re an easy target for attackers. That’s especially the case given how easily users can install apps.
“Cybercriminals are banking on compensating for smartphones’ poor performance and mobile miners’ easy detection through the sheer number of handheld devices out there and their high infectibility,” said Roman Unuchek, security researcher at Kaspersky Lab.
The most common rogue mining apps were connected with soccer, with a Portuguese-language match-streaming app being one of the most commonly downloaded. The app fulfils its advertised function of allowing users to watch broadcast football matches, while also discreetly mining in the background.
A common tactic applied by the attackers is to hide a Coinhive JavaScript miner within the malicious apps. When the users launch a broadcast, the app opens an HTML file with an embedded JavaScript miner, which converts the streamer’s CPU power into a tool for mining Monero.
Researchers say the soccer-streaming miner was distributed via Google Play and downloaded by over 100,000 thousand users, mostly based in Brazil.
Another popular means of distributing miners via seemingly legitimate apps is to embed it within applications used to provide VPN connections. Researchers found that a cryptocurrency mining app called Vilny.net has been downloaded over 50,000 times, mostly in Ukraine and Russia.
Those behind Vilny have tailored the app to monitor the battery charge and temperature of the device, allowing the attackers to control the CPU usage to avoid the high temperature associated with extensive battery use — in order to ensure the user doesn’t notice any suspicious activity and connect it with the app.