Android Monero-Mining Malware Can Cause Device Failure

Posted: April 02, 2018

Categories: Security, Tips, Android Security

Author: Npav Lab

Android Monero-Mining Malware Can Cause Device Failure

A new type of Android malware that infects devices and untetheredly mines Monero in the phone's background until the battery is exhausted or the device gives out, Called HiddenMiner.

This malware has been spotted inside apps distributed via third-party stores. Researchers say that most of the infected users are based either in China or India.

Experts say they've tracked the malware's operations back to a mining pool where crooks made 26 XMR (around $5,400).

HiddenMiner needs access to an administrator account

HiddenMiner is not the first untethered Monero-mining malware that affects Android devices. The first was Loapi, spotted last December.

HiddenMiner took inspiration from Loapi because just like the aforementioned, HiddenMiner works by tricking users into giving it access to an administrator account.

hiddenminer-2

The malware then uses this account to hide the original app behind transparent app icon, and immediately start a Monero miner that runs at all times in the phone's background.

"There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted. Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail".

HiddenMiner can also lock users screens

But this isn't HiddenMiner's only malicious feature. The trojan also locks the user's device whenever it detects an attempt to remote its administrator account on Android 6.0 devices and earlier. This behavior has been seen before in the LokiBot Android banking trojan.

Unfortunately, only by removing the admin account, a user will be able to remove the trojan from his device before the battery overheats and gives out, potentially destroying the rest of the device.

The only way to remove the administrator account is to reboot the device in Safe Mode and uninstall the rogue admin account, along with the HiddenMiner-infected app from there.

Currently, crooks are using a fake Google Play Store updater app (com.android.sesupdate) to distribute HiddenMiner via third-party app stores, but experts expect crooks to diversify their portfolio and even start infecting users in other areas of the globe.

Common tips to Catch Fake Android App

[ssticklist]

Look at the publish date.A fake app will have a recent published date.
Do a little research about the developer of the app you plan to install.
Very important – read all app permissions carefully.

[/ssticklist]

Sharing is caring!
Share

Tweet LinkedIn

← Previous Next →

Comment(s)

Android Monero-Mining Malware Can Cause Device Failure

A new type of Android malware that infects devices and untetheredly mines Monero in the phone's background until the battery is exhausted or the device gives out, Called HiddenMiner.

This malware has been spotted inside apps distributed via third-party stores. Researchers say that most of the infected users are based either in China or India.

Experts say they've tracked the malware's operations back to a mining pool where crooks made 26 XMR (around $5,400).

HiddenMiner needs access to an administrator account

HiddenMiner is not the first untethered Monero-mining malware that affects Android devices. The first was Loapi, spotted last December.

HiddenMiner took inspiration from Loapi because just like the aforementioned, HiddenMiner works by tricking users into giving it access to an administrator account.

The malware then uses this account to hide the original app behind transparent app icon, and immediately start a Monero miner that runs at all times in the phone's background.

HiddenMiner can also lock users screens

But this isn't HiddenMiner's only malicious feature. The trojan also locks the user's device whenever it detects an attempt to remote its administrator account on Android 6.0 devices and earlier. This behavior has been seen before in the LokiBot Android banking trojan.

Unfortunately, only by removing the admin account, a user will be able to remove the trojan from his device before the battery overheats and gives out, potentially destroying the rest of the device.

The only way to remove the administrator account is to reboot the device in Safe Mode and uninstall the rogue admin account, along with the HiddenMiner-infected app from there.

Currently, crooks are using a fake Google Play Store updater app (com.android.sesupdate) to distribute HiddenMiner via third-party app stores, but experts expect crooks to diversify their portfolio and even start infecting users in other areas of the globe.

Common tips to Catch Fake Android App

[ssticklist]

Look at the publish date.A fake app will have a recent published date.

Do a little research about the developer of the app you plan to install.

Very important – read all app permissions carefully.

[/ssticklist]