Lookout Software uncovered the bug, dubbed “BadLepricon,” after which Google removed five applications that were incorporating it. The apps had between 100 to 500 installs each at the time of removal.
“And yes, that is how the malware authors spelled ‘leprechaun,’” wrote Lookout researcher Meghan Kelly, in a blog detailing the infection. “We hope they were going for a clever play on the word ‘con.’”
Although the wallpaper apps did indeed offer live wallpaper featuring everything from anime to hot men, behind the scenes BadLepricon begins checking the battery level, connectivity and whether the phone’s display was on, every five seconds.
“It does this almost as a courtesy to your phone,” Kelly said. “Miners, when left unchecked, can damage a phone by using so much processing power that it burns out the device. In order to avoid this, BadLepricon makes sure that the battery level is running at over 50 percent capacity, the display is turned off, and the phone network connectivity.”
She added, “BadLepricon also uses a WakeLock, or a feature that makes sure the phone doesn’t go to sleep even if the display is turned off.”
The misspelling of “leprechaun” notwithstanding, the authors may not be that clever in other ways either, considering that bitcoin mining takes a lot more than a few hundred mobile devices to be lucrative.
“A phone’s computing power doesn’t actually result in that many coins,” Kelly said. “Every coin has a difficulty rate, which is determined by the amount of computing power needed to mine that coin and other factors. The difficulty for bitcoin is so tough right now that a recent mining experiment using 600 quad-core servers was only able to generate 0.4 bitcoins over one year.”
Because of these difficulty levels, miners tend to work in groups, pooling their processing resources and collecting payment as a percentage of the processing power they contribute. It’s unclear whether this particular gambit is part of a pool, however.
“In order to control the sometimes thousands of bots, the malware author may use a proxy to set up one point of contact,” Kelly explained. “BadLepricon uses a Stratum mining proxy, allowing the author to easily change mining pools or connections to bitcoin wallets with ease. It also gives the malware author some anonymity by obfuscating which wallet is being fed the mined bitcoins.”
The discovery follows that of CoinKrypt, which did not employ the same safety checks as BadLepricon and instead severely ran down the batteries of its victims. It focused on coins such as Litecoin, Dogecoin and Casinocoin, which allow miners to mine more coins with less computing power.
Mobile coin mining is likely to become more common as phones and tablets add processing power, Kelly said. And it could actually be built into apps legitimately, eventually.
“We need to remember that mobile mining could be a new business model,” Kelly said. “Instead of being served advertising, people could use a few processing cycles to mine cryptocurrency instead. We can see a world where that would be tolerated, but in the case of BadLepricon, not alerting the user to your intentions will land you straight in the malware pile.”
For now, to protect themselves, users should make sure the Android system setting ‘”unknown sources” is unchecked to prevent dropped or drive-by-download app install, and should consider installing a mobile security app.