Cryptominers malware on rising

Cryptocurrency topic has been a permanent news fixture because of the value of digital money that has been rising spectacularly.
Nowadays cybercriminals no longer limit themselves to servers, desktops, and laptops. They are hunting mobile devices, mainly Android too. It was found several types of malware posing as popular programs and games that are secretly mining cryptocurrencies using the CoinHive SDK. In most of the cases, they are counterfeit versions of Instagram, Netflix, Bitmoji, and others. The scammers had added the word “hack” to the original app names. These “hacked” apps were distributed through forums and third-party stores.

This kind of apps can be easily evaded if a robust cybersecurity solution is present in every device that you own. Depending on which version of OS is installed on your device it is imperative to install an antivirus for Windows, an antivirus for Mac or an antivirus for Android. Companies should also use the services of a cybersecurity firm to verify their internal network by running various tests like penetration test and ethical hacking tests.

Primitive miners based on web frameworks are some web frameworks that make it easy to create mobile apps, including miners. This kind of miner is made using a web page containing a JS script for mining cryptocurrency (for example, the CoinHive script). Most of the miners we found of this type were based on the Thunkable and Cordova frameworks. These apps are distributed through third-party sites, although one of them was found in the official Google Play store, where it was removed after we reported it.

It was also found one app built on a different framework, Andromo. The app poses as a discount aggregator at first glance, but instead of linking to sites with discounted products, it loads a page that mines cryptocurrency.
Crypto Mining for Children is an app based on the B4A framework. This app it was found in the official Google store. Its stated goal was to mine cryptocurrency for charity. But the description contained no word about where or how the coins would be spent, which is a common trick used by phishers.
Popular apps infected with miners
Trojan.AndroidOS.Coinge is hidden in popular apps for mining cryptocurrency.

TSF Launcher app infected with miners
In this case, the cybercriminals added the malicious code to the code of other SDKs used by the app. This way, the app runs a library that does the mining.
A modification of Trojan.AndroidOS.Coinge adds mining code to all opened web pages. We found 23 different apps infected by Trojan.AndroidOS.Coinge.

Miners in apps for watching football
The most common mining apps we found were connected to the topic of soccer. The main function of this apps is to show soccer videos while secretly mining cryptocurrency. One of this apps is the PlacarTV app interface.
Another Trojan-turned-miner is Ubsob. This malware poses as a suite of useful apps. The Trojan mainly “resides” in CIS countries, above all Russia.

Fire-prevention miner, this is the most interesting Trojan that was analyzed: Trojan.AndroidOS.Coinge.j., It has no legitimate app functions at all and installs itself either as a porn app or as an Android system app. As soon as it starts, the malware requests device administrator rights to prevent its removal. This malware monitors the device battery and temperature to mine cryptocurrency without posing a fire hazard. It seems the cybercriminals have no desire to repeat the “success” of Loapi, which incinerated our test phone.

Almost a third (29%) of the Trojan’s victims were in India, next was United States (8%), Britain (6%), Iran (5%), and Ukraine (5%).
Remember that only a robust cybersecurity solution can protect your device form all types of unwanted or bogus miners. The use of an active antivirus is mandatory. We strongly recommend to everyone to install an antivirus for Windows, an antivirus for Mac or an antivirus for Android, depending on which version of OS your devices run. If you are a company, please check your network integrity by hiring top cybersecurity firms to perform various tests like penetration test and ethical hacking tests at least once a year.