Cryptocurrency malware for Android is on the rise and it can physically damage your phone

[captain_to_fire]

Sources: Sophos and Kaspersky Lab via Ars Technica

 

 

Quote

A newly discovered piece of Android malware carries out a litany of malicious activities, including showing an almost unending series of ads, participating in distributed denial-of-service attacks, sending text messages to any number, and silently subscribing to paid services. Its biggest offense: a surreptitious cryptocurrency miner that's so aggressive it can physically damage an infected phone.

 

Over the past few months, a surge of sites and apps have been caught draining people's CPUs and electricity as they run resource-intensive cryptocurrency mining code. In a handful of cases, the apps or sites disclose what's happening, throttle down the mining, and ask users to participate as a form of payment. In the vast majority of cases, however, the mining is only discovered when users open monitors that track all processes or apps running on a device.

This is a bit concerning. The battery of the phone inflated possibly due to malware jacking up the CPU all the time. This is very similar to the past thread about websites embedding miners and they as well jack up your CPU usage.

 

AV company Sophos called this type of malware "parasitic" as they execute even without user consent.

Quote

Instead of showing up as executable files, they take the form of scripts hidden on websites, mining for cryptocurrency in the browser. Visitors to these sites see no evidence of the mining. The only clues that something may be amiss are their computer slowing down and their fans revving up.

 

A clear example of this is Coinhive, a Monero miner that first appeared in mid-September. The number of sites hiding it has steadily increased in recent weeks, as cryptocurrency values have taken a wild trajectory skyward.Given their parasitic nature, Sophos has decided to start tagging Coinhive and other JavaScript-based cryptominers as malware to be blocked when users stumble upon a site harboring them.

So if your shiny Google Pixel 2 or new Samsung Galaxy Note 8 decides to thermal throttle all the time, chances are it's not your installed apps running in the background hogging resources but miners cranking up CPU usage.So imagine if a phone like the HTC One M9 with Snapdragon 810 got infected by a mining malware, it'll probably like a Galaxy Note 7 unless Linus cools it with ice while it's mining Monero or Bitcoin.

Kaspersky published an article detailing one of the examples of this mining malware and they named it "Trojan.AndroidOS.Loapi" or as they call "jack of all trades".

Quote

Samples of the Loapi family are distributed via advertising campaigns. Malicious files are downloaded after the user is redirected to the attackers’ malicious web resource. We found more than 20 such resources, whose domains refer to popular antivirus solutions and even a famous porn site. As we can see from the image below, Loapi mainly hides behind the mask of antivirus solutions or adult content apps:

After the installation process is finished, the application tries to obtain device administrator permissions, asking for them in a loop until the user agrees. Trojan.AndroidOS.Loapi also checks if the device is rooted, but never subsequently uses root privileges – no doubt they will be used in some new module in the future.

Self-protection

Loapi aggressively fights any attempts to revoke device manager permissions. If the user tries to take away these permissions, the malicious app locks the screen and closes the window with device manager settings, executing the following code:

As well as this fairly standard technique to prevent removal, we also found an interesting feature in the self-protection mechanism. The Trojan is capable of receiving from its C&C server a list of apps that pose a danger. This list is used to monitor the installation and launch of those dangerous apps. If one of the apps is installed or launched, then the Trojan shows a fake message claiming it has detected some malware and, of course, prompts the user to delete it:

This message is shown in a loop, so even if the user rejects the offer, the message will be shown again and again until the user finally agrees and deletes the application.

Web crawling module

Purpose and functionality: this module is used for hidden Javascript code execution on web pages with WAP billing in order to subscribe the user to various services. Sometimes mobile operators send a text message asking for confirmation of a subscription. In such cases the Trojan uses SMS module functionality to send a reply with the required text. Also, this module can be used for web page crawling. An example of a web page crawling task received from the server is shown below:

This module together with the advertisement module tried to open about 28,000 unique URLs on one device during our 24-hour experiment.

Proxy module

Purpose and functionality: this module is an implementation of an HTTP proxy server that allows the attackers to send HTTP requests from the victim’s device. This can be used to organize DDoS attacks against specified resources. This module can also change the internet connection type on a device (from mobile traffic to Wi-Fi and vice versa).

Mining Monero

Purpose and functionality: this module uses the Android version of minerd to perform Monero (XMR) cryptocurrency mining. Mining is initiated using the code below:

The code uses the following arguments:

• url – mining pool address, “stratum+tcp://xmr.pool.minergate.com:45560”
• this.user – username, value randomly selected from the following list: “lukasjeromemi@gmail.com”, “jjopajopaa@gmail.com”, “grishaobskyy@mail.ru”, “kimzheng@yandex.ru”, “hirt.brown@gmx.de”, “swiftjobs@rambler.ru”, “highboot1@mail333.com”, “jahram.abdi@yandex.com”, “goodearglen@inbox.ru”, girlfool@bk.ru
• password – constant value, “qwe”

More details can be found in the Kaspersky article linked above. So just a tip for anyone with an Android phone who might encounter a mining malware, if it prompted you to uninstall your Android anti-virus, don't believe it but instead scan your phone with your AV but make sure to update it with the latest signatures. What's worrisome is that it exploits social engineering and many people fall for it even though it requires user intervention and it can potentially brick your Android phone. Looks like 2018 will be a year of much worse cybersecurity woes. 

 

No word just yet on cryptomining malware on iOS but the mere fact that it's not an executable and just a script, I wouldn't be so surprised that iPhones and iPads will be the next target especially the fact that Apple's custom A11 Bionic SoC is much more powerful than the Snapdragon 835. 

Edited December 20, 2017 by hey_yo_

[bcredeur97]

even if iPhones are targeted, at least apple is usually quick to patch things... 

 

I feel for some android users though who get security updates months later or even not at all in some cases.... and i really wish it were not the case. one of the main reasons i don't use an android-based phone...

[Mykie]

5 minutes ago, bcredeur97 said:

even if iPhones are targeted, at least apple is usually quick to patch things... 

 

I feel for some android users though who get security updates months later or even not at all in some cases.... and i really wish it were not the case. one of the main reasons i don't use an android-based phone...

Java Script mining behind websites it still a pain to deal with on the iPhone. They drain your battery fast  

 

Don't know about the apps itself, but I would think of it as a user exploit. I mean it feels like you're being exploited.

[DrMacintosh]

waits for patch...........

 

 

 

 

Oh wait

[Guest]

19 minutes ago, hey_yo_ said:

Spoiler

 

Does anyone actual trust an app with CM in the title? (I assume people associate these apps with the Cyanogenmod moniker)

 

On topic: As usual, you can't trust random AV and pr0n apps. Time to enable NoScript on phones (Good thing FF on Android supports plugins)

[captain_to_fire]

6 minutes ago, bcredeur97 said:

even if iPhones are targeted, at least apple is usually quick to patch things... 

 

I feel for some android users though who get security updates months later or even not at all in some cases.... and i really wish it were not the case. one of the main reasons i don't use an android-based phone...

Just like OnePlus and others unless they own a Pixel phone. You can partly blame Qualcomm for having Android phones not receiving timely software update. I hope the likes of LG and Samsung will use Project Treble.

1 minute ago, Mykie said:

Java Script mining behind websites it still a pain to deal with on the iPhone. They drain your battery fast  

 

Don't know about the apps itself, but I would think of it as a user exploit. I mean it feels like you're being exploited.

Even if the website was embedded with mining malware, the browser like Safari has to be open and it must execute the malicious payload outside of Safari's sandbox and code signing in iOS which is doable but not easy and Apple is quick in releasing software updates and when iPhones get warm, they display a temperature warning.

[ElZamo92]

2 minutes ago, DrMacintosh said:

waits for patch...........

 

 

 

 

Oh wait

SICK BURN BRAH

[captain_to_fire]

1 minute ago, tjcater said:

On topic: As usual, you can't trust random AV and pr0n apps. Time to enable NoScript on phones (Good thing FF on Android supports plugins)

 

Wouldn't blocking scripts from your browsing cripple browsing? As far as I know, many websites use scripts to function properly. Even when I was using an Android phone years ago I never used an AV and I'm not sure if their Android counterparts have the same scanning engines and behavior blocking features like their Windows counterparts. I always thought that Android AV programs are useless since apps run on a sandbox.

[captain_to_fire]

6 minutes ago, DrMacintosh said:

waits for patch...........

 

 

 

 

Oh wait

More like "wait for a buy Android phone". 

[Guest]

Just now, hey_yo_ said:

Wouldn't blocking scripts from your browsing cripple browsing? As far as I know, many websites use scripts to function properly. Even when I was using an Android phone years ago I never used an AV and I'm not sure if their Android counterparts have the same scanning engines and behavior blocking features like their Windows counterparts. I always thought that Android AV programs are useless since apps run on a sandbox.

I personally don't use any AV on android (No built in one AFAIK, also I don't trust any of them ), as for browsing I would enable scripts for specific domains (Its a pain, but hey, you avoid extra battery and CPU usage on mobile). Though I don't browse the web much through a browser on my phone.

[Zodiark1593]

So looking at the post, it seems that the user still needs to download the infected/fake app in question to get the malware. Even in the lack of a security patch, this malware can be avoided via being semi-smart on the internet. Correct?

[captain_to_fire]

3 minutes ago, tjcater said:

I personally don't use any AV on android (No built in one AFAIK, also I don't trust any of them )

At the moment Google has added an anti-virus built in to Google Play services so you're actually using an Android AV without knowing it just like Windows Defender in Windows 10.

 

2 minutes ago, Zodiark1593 said:

So looking at the post, it seems that the user still needs to download the infected/fake app in question to get the malware. Even in the lack of a security patch, this malware can be avoided via being semi-smart on the internet. Correct?

Yes and it looks like many people fall for it. It usually happens when redirected.

[Guest]

1 minute ago, hey_yo_ said:

At the moment Google has added an anti-virus built in to Google Play services so you're actually using an Android AV without knowing it just like Windows Defender in Windows 10.

I never really checked that out. I just assumed it occasional checked to see if apps had been modified.

[captain_to_fire]

Just now, tjcater said:

I never really checked that out. I just assumed it occasional checked to see if apps had been modified.

Just like Microsoft realizing that many of their Windows 7 users are not using AV programs because they require annual subscriptions, they released Security Essentials and later Windows Defender in Windows 8 and above, Google realized as well thay many OEMs are not releasing security updates on time so they need to do something and they made Google Play Protect for free.

[Crunchy Dragon]

14 minutes ago, Zodiark1593 said:

So looking at the post, it seems that the user still needs to download the infected/fake app in question to get the malware. Even in the lack of a security patch, this malware can be avoided via being semi-smart on the internet. Correct?

Looks like that to me. You can avoid a surprising amount of things by being semi-smart on the internet.

[WolfDeville]

Fucking SCUM.

[mr moose]

Is there a way to find out if a particular app is mining in the background, because I was running the 100 doors game for android and it was using an extraordinary amount of data and battery for simply displaying a few banner ads.

 

 

[Master Disaster]

Pretty sure most people would notice their phone is burning a hole through their trouser pocket.

[captain_to_fire]

9 minutes ago, Master Disaster said:

Pretty sure most people would notice their phone is burning a hole through their trouser pocket.

Turning every Android phone into a Galaxy Note 7 ?

12 minutes ago, mr moose said:

Is there a way to find out if a particular app is mining in the background, because I was running the 100 doors game for android and it was using an extraordinary amount of data and battery for simply displaying a few banner ads.

I don’t think so. I’m not aware of any Task Manager equivalent on Android. Either you scan your apps using the built in Google Play Protect or a third party Android AV. But playing a game is more likely expected to drain battery life and many of them display ads especially if they’re free. 

[mr moose]

1 minute ago, hey_yo_ said:

Turning every Android phone into a Galaxy Note 7 ?

I don’t think so. I’m not aware of any Task Manager equivalent on Android. Either you scan your apps using the built in Google Play Protect or a third party Android AV. But playing a game is more likely expected to drain battery life and many of them display ads especially if they’re free. 

This app used 150Mb in a only few hours of play, (as reported by Android and witnessed on my phone bill).  Also I have had similar apps with ads that use much less battery.

[captain_to_fire]

1 minute ago, mr moose said:

This app used 150Mb in a only few hours of play, (as reported by Android and witnessed on my phone bill).  Also I have had similar apps with ads that use much less battery.

Use wifi. Using cellular data will not only jack up your phone bill but it drains battery significantly faster than wifi. Also, make sure you have good coverage as crappy reception can also cause terrible battery life as the radios in the phone will use more power to search for a signal. Try enabling airplane mode then re-enable wifi again. 

[mr moose]

7 minutes ago, hey_yo_ said:

Use wifi. Using cellular data will not only jack up your phone bill but it drains battery significantly faster than wifi. Also, make sure you have good coverage as crappy reception can also cause terrible battery life as the radios in the phone will use more power to search for a signal. Try enabling airplane mode then re-enable wifi again. 

But why is this one app different to all the others?

[captain_to_fire]

2 hours ago, mr moose said:

But why is this one app different to all the others?

Bugs? Try writing a review to the developer via Google Play 

[Matu20]

People who get Trojans and other malware have to be so fucking ignorant about their safety. Some of the messages could literally tell that they will get hacked if they press "Yes", and a lot of them will do it.

[Ryujin2003]

8 hours ago, TehStranger said:

Fucking SCUM.

And villainy.