Cryptocurrency-crafting creeps crept crafty code into Google App Store

Chocolate Factory's anti-malware protections fail yet again

13 Reg comments Got Tips?

Android apps secretly harboring cryptocurrency-mining code have managed to make their way onto the shelves in the official Google Play Store.

Researchers at Trend Micro found three programs available for download in the application souk that were surreptitiously using the spare CPU cycles on people's smartphones to mine Monero, using code built by – you guessed it – Coin Hive. The mining apps were variously disguised as a wallpaper collection, a wireless safety app, and software to help Catholics with rosary prayers.

Essentially, the software would appear to do one very simple thing while sneakily using your hardware and battery power to mine XMR coins for its masters.

"These threats highlight how even mobile devices can be used for cryptocurrency mining activities, even if, in practice, the effort results in an insignificant amount of profit," the researchers stated today. "Users should take note of any performance degradation on their devices after installing an app."

While the apps have now been removed, after Trend alerted Google, the software slipped past the ad giant's malware checking systems by using an old trick. While the apps appeared benign once they were installed, they immediately contacted a remote server, and downloaded and ran the stealth mining code.

Coin Hive, which was hacked last week, is no longer developing the version of its JavaScript code that harvests cryptocurrency on devices without warning users – and is instead focused on a more legitimate engine that alerts people when their hardware is being used for mining. But that hasn't stopped the unscrupulous from still using the stealthy build, whether it's in 500 hacked Wordpress blogs or Chrome extensions.

Although Monero is a new and lightweight flavor of cyber-cash, and is ideal for mining on commodity desktop computers whereas the much more famous Bitcoin requires powerful dedicated number crunchers these days, mobile phones are a lousy way to produce XMR. Although handheld CPUs are pretty beefy these days, the drain on battery life makes it likely users will spot something is up and throw out the intensive apps. Trend estimates that the dodgy apps made just $170 before they were yanked from the store by Google.

Nevertheless, this should be something that Google is picking up on when it accepts apps in its official code bazaar. You expect unofficial app marketplaces to be riddled with malware but if Google can't keep its own house in order then what are Android users left with, other than considering iOS? ®


Keep Reading

Biting the hand that feeds IT © 1998–2020