A new malicious cryptocurrency miner was found on Google Play store, and WordPress sites recently, that pretends to be legitimate by using dynamic JavaScript loading and native code injection. It infects the Android devices, resulting in reduced battery life, increased device wear and tear, and slower device performance.
Trend Micro, the antivirus cloud computing security and internet content security software provider, who detected the apps infecting the Play Store, found them to be ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER.
“As cryptocurrencies have grown in popularity and value, cryptocurrency mining has turned into a lucrative business,” said Chris Olson, CEO of web monitoring firm The Media Trust. “However, it’s also a resource-intensive business that drives the enslaving of hundreds or thousands of devices to access their computing power.”
- ANDROIDOS_JSMINER
The Android apps that deliver Coinhive JavaScript cryptocurrency miners to users are detected as ANDROIDOS_JSMINER. Such miners were found in two apps- a religious prayer service, and a wireless internet scanner.
When these apps are installed, they load JavaScript library code from Coinhive, and mine with hacker’s own key running within webview of the apps and are not visible to users. The CPU usage is exceptionally high during this process, which consumes more battery power and slows the device performance.
- ANDROIDOS_CPUMINER
These are the Android apps that pretends to be legitimate and adds mining libraries which are further repackaged and distributed. A car wallpapers app called “Car Wallpaper HD: mercedes, ferrari, bmw and audi” contained the CPUMINER malwares. This app deployed the CPUMINER libraries, and mined several cryptocurrencies.
With the mainstream internet access to every mobile, a lot of users download the apps without knowing who their manufacturers are, the encryption they provide, and other information, which becomes a cause for disasters.
Not only the apps in the Google Play Store, websites are also being attacked by the CoinHive miners. The security firm Sucuri in their blog last week, estimated that the cryptocurrency miners were injected in over 500 WordPress websites. The volumes of attack have been unsophisticated and very low so far. Other web platforms like Magento, Joomla, and Drupal were also found to be the victims of this attack at some point of time and these attacks seem to be a new rising trend among hackers now.
Recently, a security bug called KRACK was found in the WPA2 protocol, which enabled the attacker to intercept credit card numbers, passwords, photos, and other sensible information.
Also read: Google and IBM to jointly address developer security challenges with Grafeas
Google has already removed all these apps from the Play Store. Though it is still not clear how many downloads each app received and how much money the attackers made.