Is someone mining cryptocurrencies on my device? - Kryptowährungen, crypto-monnaies, criptovalute

Is someone mining cryptocurrencies on my device?

Mining cryptocurrencies is a hot topic these days. Are you aware that your own devices might be mining them without you being even aware of it? As Malware Researcher at Avira, our colleague Mihai Grigorescu took a close look at MemeGenerator, a free Android app that also happens to generate Monero cryptocurrency, to see what would happen. Here are the key findings:

1. Cryptocurrency gets so hot

Adding the MemeGenerator had a huge impact on the device energy use, and the CPU as shown. The device was visibly warmer. It is not clear what running a device at such a high level will do to the device and to its battery in the long run.

2. Best cryptocurrency mining module

It is easy to craft a deceptive android application for mining Monero cryptocurrency which looks completely innocent. The Coinhive Miner makes it easy to do. The only way a user can tell – is when the device gets hot, a byproduct of the unusual load on the device during mining.

3. Tiny bits add up

The payoff for the cryptocurrency miners on your device is tiny – but can add up. Unlike PCs, mobile devices don’t have the processing power to allow an attacker to mine a significant amount of cryptocurrency. However, the small amount they do mine adds up with each infected device and apps like MemeGenerator make it possible to infect a large number of Android devices.

4. Remember, it’s your device

The decision to mine a cryptocurrency should be made by you as the device owner – not as a sneaky move by the bad-intended developers. Anything else is the theft of your time and assets. That is why Avira detects these applications as ANDROID/Coinminer.X.Gen and the javascript as HTML/ExpKit.Gen2.

Here is the complete story of Mihai’s interaction with the MemeGenerator app:

That innocent first look

First thing we’ve learned about any mobile app is to look carefully at the required permissions.

Well, this application didn’t require any suspicious permissions – network access was obviously required to share any generated memes with friends, and saving files to the SD card could also be required to save the memes.
As the application seemed legit, this could trap any user into clicking “Install” to continue the installation.

After installation, the app created a nice launcher icon, so we clicked on it …

Without any explanation, we got a list of images to choose from. Thinking that this have been desired background images, we chose one:

We got two input boxes, prefilled with “Texto superior” and “Texto inferior”. After filling them with the text “why is my phone hot” we got the finished meme and options to share it via email, mms message, or Bluetooth.

At first glance, this looked like a very simple app which got the job done – it generated our customized meme.

There was absolutely nothing that would have made a user suspect that there was anything wrong going on with this app. Yet, there was a problem – the device was getting hot.

Looking under the hood

A quick look in LogCat revealed that the application was built with App Inventor and it was loading some content into a WebView.
We decompiled the application to take a closer look:

Looking through the code, we saw that the content was loaded from inside the APK file, from the android_asset folder, so we began by examining this file:

This was the HTML code that generated the list of background images we have earlier picked from, and we saw that it was loading a min.js file:

This was the Coinhive Miner from coinhive.com, we saw the same syntax in their documentation:

So, in our case, ‘K2hXuRJ7cExO4bPknDEWhDabqM0Ls8e3’ was the site key.

I was burning for you

It was no illusion – the smartphone was really getting warmed up. Before starting the app, the first CPU load graph showed a device at rest. But once the app was running, a substantial 48% of the CPU – a load value shown by the green part of the pie chart – was used consistently for mining.

MEME Cryptocurrency conclusions

Coinhive Miner makes it clear with its modular approach: it is easy to make a harmless-looking app for mining cryptocurrency. The only way a user can tell is when the device gets hot – a byproduct of the unusual load on the device when it is mining.

Mining cryptocurrency seems to be a growing trend for cybercriminals to monetize your device. As a cybersecurity firm, we identify and block their attempts to damage your devices, take your private information, and misuse these devices for their own hidden purposes – like mining cryptocurrencies. For these reasons, we detect these applications as ANDROID/Coinminer.X.Gen and the javascript as HTML/ExpKit.Gen2.

IOCs

K2hXuRJ7cExO4bPknDEWhDabqM0Ls8e3 – coinhive site key
6d4daa7588df5e864485b6aab665bd66c79fe6aed842f22d86b8a54bd6dcc3a6 – android application
712bb1af37e7a67f86eb8b2826b8e9bd90af1d0cf213e0d8f5392dcdb5f8ed5d – coinminer JS

This post is also available in: GermanFrenchItalian

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.