Stealthy cryptomining apps still on Google Play

Researchers have flagged 25 apps on Google Play that are surreptitiously mining cryptocurrency for their developers, and some of these have still not been removed, they warn.

About the malicious apps

Disguised as games, utilities and educational offerings, these malicious apps have been downloaded and installed more than 120,000 times.

“Most of the apps were found to have embedded code from Coinhive, a JavaScript implementation to mine Monero,” the researchers explained.

“The miner code, which is only a few lines long, can be easily added into any app that uses a WebView embedded browser.”

cryptomining apps Google Play

To keep the mining stealthy, the apps limit CPU usage, so that the victims’ device doesn’t overheat and the battery isn’t drained quickly. Also, the mining does not affect the responsiveness of the device too much, obscuring the fact that the apps are churning out cryptocoin.

“While most of the Coinhive-based mining apps relied on scripts hosted on coinhive.com, two of these apps – co.lighton and com.mobeleader.spsapp – hosted the mining scripts on their own servers, presumably to thwart firewalls or parental controls/reputation services that might block Coinhive’s domain by default,” the researchers pointed out.

One of the apps uses open source CPU miner XMRig instead of a Coinhive script.

What to do?

The researchers notified Google about these mining apps in August, and the company has removed some from the store – namely, preparation apps for standardized tests given in the US published by a developer account named Gadgetium.

Unfortunately, most of the others are still available for download.

Users that don’t use a mobile security solution are unlikely to have noticed the malicious nature of the apps, so it’s a good idea to check the list provided by Sophos to see whether you’re one of the victims roped into mining cryptocurrency and, if you are, to remove the offending apps.