Cryptocurrency-mining script planted in apps on Google Play

Coinhive’s cryptocurrency-mining script has found its way into mobile apps offered on Google Play.

Trend Micro researchers have spotted two apps that have been equipped with it:

cryptocurrency mining Android

The first (prsolutions.rosariofacileads) is an app that is meant to help users pray the rosary, the second one (com.freemo.safetyne) allows users to “earn free Talk, Text, and Data” by racking up credits “by redeeming local coupons and deals, watching videos, taking surveys and more.”

“Both of these samples do the same thing once they are started: they will load the JavaScript library code from Coinhive and start mining with the attacker’s own site key,” the researchers explained.

“This JavaScript code runs within the app’s webview, but this is not visible to the user because the webview is set to run in invisible mode by default. When the malicious JavaScript code is running, the CPU usage will be exceptionally high.”

Is it worth it for the crooks?

Both of the apps have been pulled from Google Play, and the accounts of their developers have apparently been removed or suspended. They can still be downloaded from some third-party Android stores.

In addition to this, the researchers also unearthed a legitimate wallpaper app (com.yrchkor.newwallpaper) that has been modified to include a mining library.

“The efficacy of mobile devices to actually produce cryptocurrency in any meaningful amount is still doubtful,” the researchers noted, but pointed out that “the effects on users of affected devices are clear: increased device wear and tear, reduced battery life, comparably slower performance.”

They advised users to be on the lookout for covert crypto-mining apps and to uninstall apps that trigger a noticeable performance degradation on their devices.