Another day, another Android malware – This time, the malware not only comes with Monero mining capabilities but its continuous mining process drains the targeted device.
The IT security researchers at Trend Micro have discovered a sophisticated Moreno mining malware targeting Android users in the name of fake Google Play update. As of now, its prime targets are users in China and India since third-party apps are popular in both countries.
HiddenMiner hides behind fake Google Play update app
Dubbed HiddenMiner by researchers the malware hides behind a legitimate looking Google Play update app. Once the app is installed it requires users to activate it as a device administrator and displays persistent pop-ups until victims click the Activate button.
Upon granting the required permission the malware starts using computer (CPU) power of the targeted device to mine Monero cryptocurrency. According to Trend Micro’s blog post, it has been noted that HiddenMiner continuously mines Monero until the next device boot causing it to overheat and potentially fail.
HiddenMiner works similar to Loapi malware that was found a couple of months ago in over 20 third-party Android apps. Loapi also used CPU power of targeted devices to mine Monero cryptocurrency however it also conducted DDoS attacks causing the phone’s battery to the bulge that leads to the destruction of the phone after few days of its installation.
HiddenMiner is a profitable malware
As for HiddenMiner, the researchers have noted that on March 26th, 2018 attackers withdrew 26 Monero (XMR) which is around $5219.76. This means HiddenMiner is a profitable malware and actively targeting Android users without their knowledge.
Monero wallet address used by the attacker (Credit: Trend Micro)
Capable of hiding and evading detection
Moreover, the reason for HiddenMiner’s successful operation is that the malware is equipped with anti-emulator capabilities, therefore, it bypasses detection and automated analysis.
It also uses several techniques to hide itself in devices, such as emptying the app label and using a transparent icon after installation.
This screenshot shows how the malware hides itself from the device owner. (Credit: Trend Micro)
“Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave. For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications,” said Lorin Wu of Trend Micro.
