Android Security: Coin Miners Show Up in Apps and Sites to Wear Out Your CPU

Security researchers are concerned about the rise of cryptocurrency miners that are being embedded into websites and apps to use a device’s resources without gaining permission.

Security firm Trend Micro discovered three Android apps on Google Play with two different miners.

Two of the apps, Recitiamo Santo Rosario Free and SafetyNet Wireless App, use the popular Coinhive JavaScript in-browser Monero miner, while a third app, called Car Wallpaper HD: mercedes, ferrari, bow and audi, includes a malicious version of the legitimate cpuminer library.

Google removed the apps after being alerted to their hidden mining capabilities.

The JavaScript miner runs inside the app’s built-in browser but it gives no indication to the user that the miner is running. Trend Micro notes that the phone’s CPU usage will be “exceptionally high” when the JavaScript code is running.

Trend Micro researchers say while using mobile devices probably returns insignificant earnings for the attackers, the malware still degrades the device’s performance, causes wear and tear, and reduces its battery life.

Coinhive offers its mining service as an alternative to monetizing a website through ads. However, Trend Micro, Malwarebytes, Sucuri, and other security firms have found a recent surge in attackers adding Coinhive miner to compromise websites to borrow CPU power from PCs. Some sites were also keeping ads while silently running the miner rather than replacing ads.

It’s the same miner that was founded embedded on The Pirate Bay, but the piracy site’s developers were intentionally testing whether mining Monero could replace ads, which are often blocked by ad-blockers.

The key problem, and reason Malwarebytes recently decided to block script running from Coinhive.com, was that Coinhive allowed site owners to use it without first asking the visitor’s permission.

The site owner can also configure the JavaScript miner to use only a certain amount of each visitor’s system. The Pirate Bay, for example, said it mistakenly set the miner to use 100 percent of a visitor’s CPU, but corrected the issue to only consume 20 to 30 percent and restricted the activity to one tab.

As Sucuri notes, Coinhive responded to the antivirus blocks by releasing a new version of the miner that runs scripts from the domain AuthedMine.com, which only allows a site to use a visitor’s CPU after the user opts in. The site shows an example of what the opt-in UI looks like.

However, Coinhive still supports the older version with no opt-in user interface. And as BleepingComputer noted recently, there are now several Coinhive clones, including WordPress ‘Coin Hive’ plugins, and none of them asks for permission.

Source: ZDnet
TAGS:
 
 

Popular posts

Related posts