SophosLabs continues to see an increase in web-based cryptominers that quietly tap into the processing power of victims’ computers while digging for digital currency. The latest examples target Android devices through tainted apps on Google Play.
The malicious discoveries are outlined in a new paper written by Pankaj Kohli, a threat researcher from our team in Sydney.
Android mining malware is divided into two categories in the paper: JavaScript in-browser miners and third-party mining modules, such as CoinMiner.
Kohli reports that, since the start of the year, SophosLabs has discovered 19 apps in Google Play that were hiding JavaScript-based mining program CoinHive. Meanwhile, researchers have recorded more than 28,000 Loapi mining malware variants in the wild, which were released between June and November 2017.
How Coinhive works
CoinHive mines for Monero from a web browser, specifically the application’s webview. Since this webview is often hidden and the program doesn’t ask for permission to tap into the device’s processing power, the user doesn’t see anything happening, . The user may, however, notice the sluggishness and increased temperature of the device, owing to the constantly high CPU usage by the miner.
How CoinMiner works
This third-party miner uses a version of cpumineron to dig for either BitCoin or Monero on a victim’s device. Kohli explains that CoinMiner has been found hidden in tampered versions of popular applications on third-party websites. One such site offers apps disguised as an installer for popular applications available on Google Play, such as antivirus apps, games, utilities and more.
The rise of CoinHive and CoinMiner comes on the heels of another malicious miner found on third-party sites called Loapi, which poses as popular antivirus and adult content apps. It downloads and installs several modules, each of which perform different malicious actions, like sending device information to a remote server, stealing SMS, pulling in advertisements, crawling webpages, creating a proxy and mining Monero. Sophos Mobile Security (SMSec) detects these as Andr/Loapi.a and Andr/Loapi.B.
How Sophos protects customers
SophosLabs detects the CoinMiner variants as Andr/CoinMine-A and App/BtMiner-A. The CoinHive cases are detected as App/AndrCnhv-A and App/JSMiner. Sites housing these are blocked before the user can stumble upon contaminated pages.
To receive that protection, we encourage users to download Sophos Mobile Security, an Enterprise Mobility Management (EMM) technology that specializes in safeguarding corporate information that lives on personal and business-owned devices.
We previously detected cryptominers as PUAs (Potentially Unwanted Applications), which meant no automatic cleanup. Admins were instead presented with alerts for PUA detections and could manually choose from three possible options: Cleanup, Authorize or Acknowledge.
However, that changed last month as SophosLabs began to see evermore sneaky behavior from the likes of CoinHive. Given the parasitic nature of these types of cryptominers we now tag them as malware to be blocked when users stumble upon a site harboring them.
SophosLabs reported the latest discoveries to Google, which has since removed the offending apps from Google Play.