Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    Recently, other researchers reported that a new Android malware family (detected as ANDROIDOS_KAGECOIN.HBT) had cryptocurrency mining capabilities. Based on our analysis, we have found that this malware is involved in the mining for various digital currencies, including Bitcoin, Litecoin, and Dogecoin. This has real consequences for users: shorter battery life, increased wear and tear, all of which could lead to a shorter device lifespan.

    The researchers originally found ANDROIDOS_KAGECOIN as repacked copies of popular apps such as Football Manager Handheld and TuneIn Radio. The apps were injected with the CPU mining code from a legitimate Android cryptocurrency mining app; this code is based on the well-known cpuminer software.

    To hide the malicious code, the cybercriminal modified the Google Mobile Ads portion of the app, as seen below:

    Figure 1. The modified Google Mobile Ads code

    The miner is started as a background service once it detects that the affected device is connected to the Internet. By default, it launches the CPU miner to connect to a dynamic domain, which then redirects to an anonymous Dogecoin mining pool.

    By February 17, his network of mobile miners has earned him thousands of Dogecoins. After February 17, the cybercriminal changed mining pools. The malware is configured to download a file, which contains the information necessary to update the configuration of the miner. This configuration file was updated, and it now connects to the well-known WafflePool mining pool. The Bitcoins mined have been paid out (i.e., transferred to the cybercriminal’s wallet) several times.

    Figure 2. Coin pool configuration code

    The coin-mining apps discussed above were found outside of the Google Play store, but we have found the same behavior in apps inside the Google Play store. These apps have been downloaded by millions of users, which means that there may be many Android devices out there being used to mine cryptocurrency for cybercriminals. We detect this new malware family as  ANDROIDOS_KAGECOIN.HBTB. (As of this writing, these apps are still available.)

    Figure 3. Mining Apps in Google Play

    Figure 4. Download count of mining apps

    Analyzing the code of these apps reveal the cryptocurrency mining code inside. Unlike the other malicious apps, in these cases the mining only occurs when the device is charging, as the increased energy usage won’t be noticed as much.

    Figure 5. Cryptocurrency mining code

    The same miner configuration updating logic is also present here. Analyzing the configuration file, it seems that the cybercriminal responsible is switching into mining Litecoins.

    Figure 6. Configuration file, showing switch into LiteCoin mining

    We believe that with thousands of affected devices, cybercriminal accumulated a great deal of Dogecoins.

    Reading their app description and terms and conditions on the websites of these apps, users may not know that their devices may potentially be used as mining devices due to the murky language and vague terminology.

    Clever as the attack is, whoever carried it out may not have thought things through. Phones do not have sufficient performance to serve as effective miners. Users will also quickly notice the odd behavior of the miners – slow charging and excessively hot phones will all be seen, making the miner’s presence not particularly stealthy. Yes, they can gain money this way, but at a glacial pace.

    Users with phones and tablets that are suddenly charging slowly, running hot, or quickly running out of batteries may want to consider if they have been exposed to this or similar threats. Also, just because an app has been downloaded from an app store – even Google Play – does not mean it is safe.

    We have informed the Google Play security team about this issue.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • hli

      Is there some way we can contact Veo Zhang and obtain the malware apk for research purpose?

    • Checksum

      Gr8 research, ty!!! Thanks for reminding me why i’m using your products :)

      • TrendLabs

        You’re welcome!

    • Okha

      I’ve got tune in radio on iPhone. Should I delete?

      • Woochifer

        Doubtful, because those are hacked versions of legit apps that got uploaded to various Android stores outside of Google Play. If you downloaded the TuneIn app from the iTunes store, it’s the legit version since Apple screens out derivative versions of existing apps before they can get posted.

    • Thiru Kumaran

      Thanks for the info :)

      • TrendLabs

        No problem, Thiru!

    • zags

      wow, thanks for the info. Is there a site/database where questionable apps like these are listed?

      • MichaelQ

        Yes, it’s called Google Play.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice