Security

Malware-laden apps in Google Play store mine cryptocurrency from mobile victims

Trend Micro recently detected malicious apps in the Google Play store that use JavaScript loading and native code injection to avoid being detected.

Malicious Android apps recently detected in the Google Play store are being used to mine cryptocurrency from victim devices, security firm Trend Micro reported in a blog post.

The apps have been detected as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER, the post said. To avoid detection, the apps use techniques such as dynamic JavaScript loading and native code injection, the post noted.

Despite the novelty of cryptocurrencies, this isn't the first time that Trend Micro has detected such apps in the Google Play store. Back in March 2014, the ANDROIDOS_KAGECOIN app was being used to mine currencies like Bitcoin, Litecoin, and Dogecoin.

SEE: Mobile device computing policy (Tech Pro Research)

The ANDROIDOS_JSMINER apps use a Javascript-based cryptocurrency miner from Coinhive. After loading the library onto the victim's device, they rely on their own site key to begin mining.

The two apps associated with ANDROIDOS_JSMINER were a promotional app called SafetyNet Wireless App and an app based on the rosary called Recitiamo Santo Rosario Free. Even though the Javascript is running, most users will not be aware because it is set to be invisible by default, the post said. However, high CPU usage will be a giveaway that something is wrong.

The example Trend Micro shared of an ANDROIDOS_CPUMINER app was that of a free wallpaper app called Car Wallpaper HD: mercedes, ferrari, bmw and audi. The ANDROIDOS_CPUMINER is known for taking legitimate apps and repacking them with mining libraries and distributing them, the post said. Trend Micro identified at least 25 samples of ANDROIDOS_CPUMINER.

There is such a thing as a legitimate cpuminer library, the post said, but this app relies on an augmented version of that. The legitimate version goes up to 2.5.0, but the malicious version uses 2.5.1, the post said.

Various types of cryptocurrencies are being mined with these apps, but the total amount that has been generated is unknown. The post did say, however, that the criminals have mined at least $170 so far. For the amount of work, the payout is a pittance.

While mobile devices aren't really useful for generating cryptocurrency, these apps can still impact users by limiting performance and reducing battery life, the post said.

Trend Micro said in the post that it has reached out to Google and the example apps listed above have been removed.

The 3 big takeaways for TechRepublic readers

  1. Trend Micro has identified malicious apps in the Google Play store that use Javascript to mine cryptocurrencies from user devices.
  2. The apps were identified as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER, and have avoided detection with methods such as dynamic JavaScript loading and native code injection.
  3. The attackers have only made about $170 from the mining, but these apps will reduce battery life and limit performance of victim devices.

Also see

mobilemalware.jpg
Image: iStockphoto/Trifonenko

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox