New Android malware that stealthily mines the Monero cryptocurrency is posing as a legitimate Google Play update app (complete with Google Play’s icon), so far affecting users in India and China where third-party app stores are more popular.
According to Trend Micro researchers, the malware is being used in a notably successful and active campaign; in one case, operators withdrew over $5,000 worth of Monero from one wallet.
Dubbed HiddenMiner, it lives up to its name by using various obfuscation techniques, including anti-emulator capabilities, to evade detection and automated analysis. It also hides from the victim by emptying the app label, using a transparent icon and hiding the app from the app launcher.
The malware requires users to activate it as a device administrator; once downloaded it will persistently pop up until victims click the "Activate" button. Once granted permission, HiddenMiner will start mining Monero in the background and will automatically run with device administrator permission until the next device boot. There’s no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted, which will drain the battery and potentially cause a device to overheat.
The bad code is just the latest malware to hop on the Monero-mining bandwagon; Monero takes fewer resources to effectively mine than other forms of virtual currency.
“Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave,” said the researchers in a blog. “For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.”