Millions of Android devices forced to mine Monero for crooks

SmartNA PortPlus - High Performance Visibility Solutions that scale with your network.

No device is safe from criminals looking to make it stealthily mine cryptocurrency for them. However weak its processing power is, it still costs them nothing.

With that in mind, forced crypto mining attacks have also begun hitting mobile phones and tablets en masse, either via Trojanized apps or redirects and pop-unders.

An example of the latter approach has been recently documented by Malwarebytes’ researchers.

The attack

“In a campaign we first observed in late January, but which appears to have started at least around November 2017, millions of mobile users (we believe Android devices are targeted) have been redirected to a specifically designed page performing in-browser crypto mining,” the researchers shared.

The number might be even higher than that, as they believe that some of the browser-hijacking domains remain undetected for now.

The attack goes like this: users are redirected via malvertising chains to malicious websites. In this particular campaign, Internet Explorer and Chrome users were directed to sites serving tech support scams, but Android users were delivered to a crypto mining page:

forced crypto mining Android

Interestingly enough, the page says that the browser will mine cryptocurrency until the user proves that he or she is human by solving a CAPTCHA. But the warning and the test are bogus – they are just a way to make the forced mining acquire a whiff of legitimacy.

How widespread and effective is this scheme?

The researchers identified several identical domains all using the same CAPTCHA code but using different Coinhive site keys in the mining script.

Two of these domains have received over 66 millions of visitors since November 2017, and they estimate that the traffic combined from the five domains they identified so far equals to about 800,000 visits per day, with an average time of four minutes spent on the mining page.

How much Monero could this operation yield, you wonder? It’s difficult to say, exactly.

“Because of the low hash rate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month. However, as cryptocurrencies continue to gain value, this amount could easily be multiplied a few times over,” the researchers noted.

They also pointed out that, while these devices are less powerful than desktop computers, there is also a much greater number of them out there. Add to this the fact that many users don’t bother installing security apps on their smartphones and tablets, and you have a recipe for low-effort, long-term and widespread stealthy crypto-mining.

Advice for users

“While Android users may be redirected from regular browsing, we believe that infected apps containing ad modules are loading similar chains leading to this crypto mining page. It’s possible that this particular campaign is going after low-quality traffic—but not necessarily bots —and rather than serving typical ads that might be wasted, they chose to make a profit using a browser-based Monero miner,” the researchers said.

If you’re an Android user and you’ve started seeing these bogus pages on the regular, chances are one of the apps you recently downloaded is the culprit. Uninstalling it should fix the problem unless it has some kind of persistence mechanism.

In general, it is a good idea to install a reputed security solution on your device to check for malicious code and behavior each and every app you download and install.