Recently, other researchers reported that a new Android malware family (detected as ANDROIDOS_KAGECOIN.HBT) had cryptocurrency mining capabilities.Based on our analysis, we have found that this malware is involved in the mining for various digital currencies, including Bitcoin, Litecoin, and Dogecoin.This has real consequences for users: shorter battery life, increased wear and tear, all of which could lead to a shorter device lifespan.The researchers originally found ANDROIDOS_KAGECOIN as repacked copies of popular apps such as Football Manager Handheld and TuneIn Radio.The apps were injected with the CPU mining code from a legitimate Android cryptocurrency mining app; this code is based on the well-known cpuminer software.To hide the malicious code, the cybercriminal modified the Google Mobile Ads portion of the app, as seen below: Figure 1.The modified Google Mobile Ads code The miner is started as a background service once it detects that the affected device is connected to the Internet.

By default, it launches the CPU miner to connect to a dynamic domain, which then redirects to an anonymous Dogecoin mining pool.ltc bitcoin miningBy February 17, his network of mobile miners has earned him thousands of Dogecoins.ethereum gtx 1080After February 17, the cybercriminal changed mining pools.litecoin and coinbaseThe malware is configured to download a file, which contains the information necessary to update the configuration of the miner.bitcoin kurs liveThis configuration file was updated, and it now connects to the well-known WafflePool mining pool.litecoin redditThe Bitcoins mined have been paid out (i.e., transferred to the cybercriminal’s wallet) several times.ethereum reddit mining

Coin pool configuration code The coin-mining apps discussed above were found outside of the Google Play store, but we have found the same behavior in apps inside the Google Play store.end of litecoinThese apps have been downloaded by millions of users, which means that there may be many Android devices out there being used to mine cryptocurrency for cybercriminals.bitcoin add nodesWe detect this new malware family as  ANDROIDOS_KAGECOIN.HBTB.bitcoin will hit 10000(As of this writing, these apps are still available.)Mining Apps in Google Play Figure 4.Download count of mining apps Analyzing the code of these apps reveal the cryptocurrency mining code inside.Unlike the other malicious apps, in these cases the mining only occurs when the device is charging, as the increased energy usage won’t be noticed as much.

Cryptocurrency mining code The same miner configuration updating logic is also present here.Analyzing the configuration file, it seems that the cybercriminal responsible is switching into mining Litecoins.Configuration file, showing switch into LiteCoin mining We believe that with thousands of affected devices, cybercriminal accumulated a great deal of Dogecoins.Reading their app description and terms and conditions on the websites of these apps, users may not know that their devices may potentially be used as mining devices due to the murky language and vague terminology.Clever as the attack is, whoever carried it out may not have thought things through.Phones do not have sufficient performance to serve as effective miners.Users will also quickly notice the odd behavior of the miners – slow charging and excessively hot phones will all be seen, making the miner’s presence not particularly stealthy.Yes, they can gain money this way, but at a glacial pace.Users with phones and tablets that are suddenly charging slowly, running hot, or quickly running out of batteries may want to consider if they have been exposed to this or similar threats.

Also, just because an app has been downloaded from an app store – even Google Play – does not mean it is safe.We have informed the Google Play security team about this issue.When you say your app is free of malware but does exactly the opposite, you aren’t just lying, you could also be committing a crime.That is exactly what Prized app developers Equiliv Investments and Ryan Ramminger learned the hard way when they were slapped with an FTC complaint because their app actually used infected smartphones to help the developers mine for cryptocurrency like Dogecoin.The defendants wisely decided to settle out of court, which included a monetary judgment of $50,000, which is no small amount for someone desperately hunting for digital currency.Unlike real money, cryptocurrency is created by running complex algorithms that require computing resources.In short, the more such computing power you have, the more fruitful your mining would be.Without such resources, Prized app developers resorted to the next best thing: pooling the computing power of dozens of smartphones to do the work for them.

Prized masquerades as a rewards app that unwitting users believe will help them earn points just by downloading certain apps or playing games, points which they can later redeem for real life discounts.That alone should probably raise some warning flags.Nonetheless, the Android app promises no malware, and then sets out to do the opposite.The mining malware might seem innocent enough.It doesn’t directly compromise the user’s privacy or security, but the effects are just as damaging.Users with infected devices will suddenly find theirs phones sluggish and easily drained because of the mining program constantly churning in the background.And the issue isn’t as innocent as it sounds.It actually violates at least two laws, the FTC Act as well as the New Jersey Consumer Fraud Act.In this situation, settling definitely is the easiest way out.The District Court of New Jersey imposed a ban on the defendants on creating and distributing such kind of software ever again.They are also instructed to destroy all consumer information they have gathered through the app.