Google has cracked down on apps that mine for cryptocurrency, banning them entirely from its official Google Play Store.
The company quietly updated its developer policy page with the following statement:
We don’t allow apps that mine cryptocurrency on devices. We permit apps that remotely manage the mining of cryptocurrency.
The policy change means that programs using the device’s own processing power to mine cryptocurrency will no longer be allowed in the official Google Play Store, but that Google is still OK with programs that manage cryptocurrency mining services operating elsewhere.
The move mirrors one by Apple, which banned cryptocurrency miners from its stores in June. It also follows other measures by Google to stamp out cryptocurrency mining programs delivered via its products and services. In April, it banned cryptocurrency mining extensions for its Chrome browser from the Chrome store.
This may stop cryptomining, where people voluntarily give up their phone’s processing power to generate digital coins. It is less likely to stop cryptojacking, where apps deliver a legitimate service but also do some cryptomining on the side without the user’s explicit consent.
Cryptojacking has been a growing problem in Android apps. Last year, cryptomining code was found in several apps that had been approved by the Google Play Store. In April, researchers discovered that users had downloaded various Play Store apps that secretly mined for cryptocurrency more than 100,000 times.
A lot of cryptojacking malware is delivered under the radar, because the apps download their malicious code after the user has installed them. Some of them retrieve their cryptojacking code via mobile ads. This makes it harder for Google’s automated malware scanning tools to find them. Google has in the past removed apps that it discovered were cryptojacking.
The search giant has also had to clean up its own YouTube network after it found the ads delivered via the Google-owned DoubleClick advertising service were turning viewers into cryptocurrency miners without their knowledge or consent. It had to erase the ads, which used JavaScript code, to stop them compromising users’ computers and mining using their processing power.
The wording in Google’s developer policy is scant, and there was nothing on the Android or Android Developers’ blog about it at the time of writing, but perhaps we can find some guidance in its explanation for the Chrome cryptomining ban. It said:
Until now, Chrome Web Store policy has permitted cryptocurrency mining in extensions as long as it is the extension’s single purpose, and the user is adequately informed about the mining behavior. Unfortunately, approximately 90% of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply with these policies, and have been either rejected or removed from the store.
It’s also worth pointing out that the consequences for badly-managed mining on a phone can be more severe than on a PC. The Loapi malware, which mined for cryptocurrency without the user’s consent, wrecked a phone in 48 hours by overloading its processor so much that the battery swelled up and burst the phone’s case.
The ban will make the anti-cryptojacking stance official, but it will also hit cryptomining apps, which allow users to willingly use their phone power to mine apps. The brief wording in Google’s developer policy suggests that even apps mining with the user’s consent will be axed.
Several well-known mining apps were still available on the Google Play store at the time of writing, including Pocket Miner, AA Miner, and NeoNeonMiner. Perhaps Google hadn’t completely enacted its rules yet. It took two months to scrub mining extensions from the Chrome store after the Chrome mining crackdown, so this isn’t entirely surprising.
Critter
“more than 100,00 times.”
Paul Ducklin
Fixed, thanks.
FakeN
If Google banned cryptocurrency mining extensions back in April, wouldn’t you say that Apple followed Google in June? I don’t care who did what and when but please check your facts first….
There is no governance anywhere anymore… anyone can post anything.
Fake news!!!
Paul Ducklin
Lisa seems to have explained the timeline pretty clearly to me.
Google banned cryptomining Chrome extensions in April. Apple banned cryptomining apps from its App Store in June. Google banned cryptomining apps from its play Store in July.
I’m happy to assume that Google’s browser move in April encouraged Apple’s app decision in June, and that Apple’s decision in turn encouraged Google’s app decision in July…
…but July follows June so how is this ‘fake news’?
Canuckeh
Hey Trumpite, learn to comprehend what you read, after read it 2 or 3 or however many times it takes for it to sink in. Just reading what you want and twisting it, makes you an idiot.
Mark Stockley
I think we should implement a new version of Godwin’s law. “As an online discussion grows longer, the probability of an accusation of ‘fake news’ approaches 1”. Usenet rules will apply – first person to say it is admitting defeat and automatically triggers the end of the discussion.
Paul Ducklin
Suggesting that a variant of Godwin’s law be brought into play ought itself to be siubject to Godwin’s law -)
For all that cybersecurity is a competitive marketplace, which is good for consumer choice, it is also a surprisingly co-operative discipline in which competitors visibly and regularly encourage each other, share research, and work together to fight the crooks.
The OP seems to be offended because we suggested “Apple got there first and Google followed” – as though that were inevitably a bad thing and somehow unfair to Google if put that way.
Why not instead be delighted that two very different companies are on pretty much the same track when it comes to cryptomining and cryptojacking – and that track involves trying to keeping cryptomining out of your browser and off your phone.
Mark Stockley
Pffft.
I’ll have you know I’ve only ever suggested as few as 4,478 variations on Godwin’s Law.