Security researchers at Sophos have spotted over 19 Android apps on the Google's official Play Store that were secretly loading Coinhive script without user knowledge. The developers/attackers hid the mining script inside HTML files in the assets folder of the malicious apps. Whenever the user started one of these apps, this code was also executed, opening WebView browser instance. While the user believed they had downloaded something legit, the mining code was running in the background, hidden from the sight.
Android malware now includes mining scripts (Loapi, Coinhive, CoinMiner)
Dividing the Android mining malware into two categories, researchers said JavaScript in-browser miners were using Coinhive to mine Monero using the application's webview (the browser inside an app). One of these apps secretly hiding Coinhive had between 100,000 to 500,000 downloads. The malicious packages included (a little too much of wrestling...):
- action.wresling.tips
- action.wresting.updates
- best.wresling.tips
- co.stolik.stolik
- com.aovivonatv.app
- com.dav.fitsmoke
- com.learvnteam.game2048
- com.nubx.NubxMobile
- com.sceler.hinet
- com.wrestlingaction
- extreme.action.wwe.wrestin
- top.wresling.tips
- wreslin.action.news
- wreslin.action.videos
- wrestin.action.tips
- com.anees.algorithmsanddatastructures
The second category is of the third-party mining modules where CoinMiner uses a version of cpuminer to mine Bitcoin or Monero. "The miner used is a native version of cpuminer that uses the Stratum Protocol for mining," researchers wrote [PDF]. Apps using this technique include: SafetyNet Wireless app, Recitiamo Santo Rosario, and Car Wallpaper HD Free. All of them have now been removed from the Play Store by Google.
Researchers said that while Android apps have been used by attackers to mine cryptocurrency since 2014, CoinMiner, CoinHive and Loapi (masquerades as popular antivirus or adult content
app) present "a new, worrisome dimension to the trend" that could actually lead to hardware damage.
Since even the legitimate sites and apps are being hijacked to deliver mining scripts, the long-practiced tip of never installing apps from unknown developers might not help in this case. Experts advise users to check their phones for overheating problems and see if a latest download or a certain website is causing it to avoid any permanent damages.
