We uncovered a new Android malware that can surreptitiously use the infected device’s computing power to mine Monero. Trend Micro detects this as ANDROIDOS_HIDDENMINER. This Monero-mining Android app’s self-protection and persistence mechanisms include hiding itself from the unwitting user and abusing the Device Administrator feature (a technique typically seen in SLocker Android ransomware).
We further delved into HiddenMiner and found the Monero mining pools and wallets connected to the malware, and learned that one of its operators withdrew 26 XMR (or US$5,360 as of March 26, 2018) from one of the wallets. This indicates a rather active campaign of using infected devices to mine cryptocurrency.
HiddenMiner uses the device’s CPU power to mine Monero. There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted. Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail.
This is similar to the Loapi Monero-mining Android malware, which other security researchers observed to have caused a device’s battery to bloat. In fact, Loapi’s technique of locking the screen after revoking device administration permissions is analogous to HiddenMiner’s.
HiddenMiner is found in third-party app marketplaces. So far, it’s affecting users in India and China, but it won’t be a surprise if it spreads beyond both countries.
HiddenMiner poses as a legitimate Google Play update app, popping up as com.google.android.provider complete with Google Play’s icon. It requires users to activate it as a device administrator. It will persistently pop up until victims click the Activate button. Once granted permission, HiddenMiner will start mining Monero in the background.
HiddenMiner uses several techniques to hide itself in devices, such as emptying the app label and using a transparent icon after installation. Once activated as device administrator, it will hide the app from the app launcher by calling setComponentEnableSetting(). Note that the malware will hide itself and automatically run with device administrator permission until the next device boot. The DoubleHidden Android adware employs similar techniques.
HiddenMiner also has anti-emulator capabilities to bypass detection and automated analysis. It checks if it’s running on an emulator by abusing an Android emulator detector found on Github.
Abusing Device Administration Permission
Users can’t uninstall an active system admin package until device administrator privileges are removed first. In HiddenMiner’s case, victims cannot remove it from device administrator as the malware employs a trick to lock the device’s screen when a user wants to deactivate its device administrator privileges. It takes advantage of a bug found in Android operating systems except Nougat (Android 7.0) and later versions.
Google resolved this security issue in Nougat and later Android OSs by reducing the privileges of device admin applications so they can no longer lock the screens (if it is part of the app’s feature). Device admin will no longer be notified via the onDisableRequested() context. These tactics aren’t new: certain Android ransomware and information stealers (i.e. Fobus) employed these to gain a foothold in the device.
Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave. For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.
Trend Micro Solutions
Trend Micro™ Mobile Security for Android™ (also available on Google Play) blocks malicious apps that may exploit this vulnerability. End users and enterprises can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.
For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.
Trend Micro’s Mobile App Reputation Service (MARS) covers Android threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
Indicators of Compromise:
Related hashes (SHA-256) detected as ANDROIDOS_HIDDENMINER (package name as com.android.sesupdate):
Monero mining pools and wallets/addresses related to HiddenMiner: