In October last year, three Android apps on Play Store were found infected with Coinhive cryptocurrency miner to generate Monero digital coins. Now, an IT security researcher Elliot Alderson found fake Android apps that are infected with Coinhive cryptocurrency miner specially developed to use the CPU power of a targeted device.
Fake app real miner
According to Elliot, whose real name is Robert Baptiste, these apps are available on a third-party website that claims to provide free APKs (Android application package) to users but in reality, these APKs are infected with Coinhive miner from the beginning.
“I don’t think these apps are the original apps. The “hacker” modified it and repacked it and after that, he uses multiple dropper apps to distribute these modified apps. Only the package name and the app name has been changed and I just dig up more and in fact, this is the same app 291 times which means there are 291 applications with different icons and names, Baptiste told HackRead.
Upon scanning, some of the APK files available on the site, VirusTotal showed that these files were infected with the Coinhive miner. Remember, secret use of any cryptocurrency miner is considered as using malware against users. To prove the point, last year, CloudFlare booted off one of their customers for secretly using Coinhive miner and not letting site visitors to opt-out or disable the code.
VirusTotal scan result
Found hundreds of infected #android apps with a #Coinhive miner: https://t.co/F8vSSQWSyg
Coinhive miner code: https://t.co/eIVlFoDZP1 …
Dropper app: https://t.co/kVEHPgmt8W …
VT score: 2/61
cc @JAMESWT_MHT @malwrhunterteam @bad_packets @virqdroid @LukasStefanko pic.twitter.com/mxh6abuzfO
— Elliot Alderson (@fs0c131y) January 6, 2018
A look at the scam website (androidapk.world), that is hosting these malicious apps, shows it has been fully indexed in Google search engine without raising any suspicion. Also, the site claims to provide APKs for top apps including Super Mario Run, Netflix, Mobile Strike, Clash of Clans and others.
Screenshot via Elliot Alderson
Moreover, the site was registered in March last year and since then the download counter shows some APK files have been downloaded millions of times. However, it is unclear if the download counter displays real-time figures or cybercriminals behind the scam are manually displaying the numbers to pose as an active and trustworthy APK download site.
Android users be vigilant
Until now, the biggest victims of cryptocurrency miners were website owners and unsuspecting visitors. Now, Android users are also at risk. In the past, cybercriminals preferred malware attacks but since the price of Bitcoin has suddenly surged there has been an increase in attacks involving cryptocurrency miners.
Android users should be aware of the situation and;
Avoid downloading unnecessary apps from Play Store as well as third-party sites. Keep your devices updated Make sure to scan it with a reputed anti-malware software Keep an eye on your phone's CPU usage
Users on PCs
Those on computers should also be aware of the situation and use Whoismining to see if a site they are about to visit is secretly mining cryptocurrency or not. Furthermore, there are two Chrome extensions No Coin and minerBlock developed to block any crypto miners from using your computing power.
About Elliot Alderson
Elliot Alderson is the same security researcher who in November last year found two pre-installed backdoor apps in OnePlus 5, 3 or its 3T model that would allow attackers to spy and steal personal data from users.
