Security

Android devices targeted in web-based cyberattack, forced to mine cryptocurrency

Android devices are being targeted for mining Monero through forced redirects and rogue ad networks, which could make it difficult for Google to stop the attacks.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A new cryptomining attack targets only Android phones, potentially because mining on phones does not give the audible cue of fans revving up as a processor is maxed out.
  • As the attack is propagated through the web, the potential for Google to detect and ban offending APKs using code audits seems remote.

A series of related web pages have been targeting Android devices for mining the Monero cryptocurrency since at least November 2017. While this attack occurs over the web—not in malware distributed in an APK—the attack and associated mining script can seemingly be invoked as part of advertising modules in free mobile apps.

The attack, discovered by MalwareBytes researcher Jérôme Segura, was found while researching the EITest malware family. While the associated domains display information relating to a standard technical support scam when viewed on Internet Explorer or Chrome, the Monero mining attack is presented through a series of redirects when "Android" is present in the browser user-agent, according to the MalwareBytes blog.

Compared to drive-by mining attacks targeting desktop or notebook computers, mining cryptocurrencies on mobile devices would theoretically be slower, as mobile SoCs are less capable of the number crunching required for mining. However, the telltale signs that mining has started is also less obvious, as the often jet-like sound of computer fans spinning at maximum speed as a desktop or laptop processor is driven to 100% obviously does not occur on smartphones.

The attack in question displays an ominous warning that "your device is showing suspicious surfing behavior," indicating to the user that the device will begin mining cryptocurrency "in order to recover server costs incurred by bot traffic" until the user solves a CAPTCHA to prove they are not a bot, the post said. Oddly, the CAPTCHA answer ("w3FaSO5R") is hardcoded in the webpage. After submitting the answer, the script redirects the user to the Google homepage.

SEE: IT leader's guide to the blockchain (Tech Pro Research)

The MalwareBytes researchers estimate that the attack only generates a few thousand dollars worth of Monero per month, though they also note that the wildly fluctuating nature of cryptocurrency valuation could mean that the ill-gotten gains, when cashed out, may be worth significantly more.

This attack is one in a series of similar attacks, as cryptocurrency mining is becoming an increasingly popular strategy for criminals to generate a profit. The Smominru botnet leverages the EternalBlue exploit used in the WannaCry attack to use Windows servers as Monero miners, gaining between $2.8 and $3.6 million dollars. Additionally, more than 4,000 government websites in the United States, United Kingdom, and Australia were victim to a mining attack via a compromised third-party JavaScript library. Surreptitiously using computing power for mining is not limited to external attacks, as engineers at a Russian nuclear facility were recently detained for using a government supercomputer for mining.

Presently, the Opera web browser has blocked mining scripts from running, but other browser vendors have yet to follow suit. Because this attack is propagated through the web, the potential for Google to ban offending APKs from the Play Store using code audits seems remote.

Also see

Android Security Warning
Image: iStockphoto/HYWARDS

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox