First large scale mobile mining malware hits millions of Android users

First large scale mobile mining malware hits millions of Android users

According to Malwarebytes, hackers managed to breach the security barrier of millions of Android phones through malicious ad redirect scam. This hacking has been in operation for several months reported researchers from Malwarebytes with the first instance tracing back to November 2017.

The cryptomining scheme uses malvertising tactics-malicious advertisements that are served up on websites just like standard ads but contain code that can mine for cryptocurrency-to hijack a user's device without their knowledge.

The captcha code for every single user is exactly the same - w3FaSO5R - and until it's entered and the continue button is pressed, the phone or tablet will mine Monero at full speed, maxing out the device's processor - something that left unchecked can cause damage to the device.

Stopping drive-by mining campaigns that rely on malvertising or malicious apps is becoming increasingly hard, although end users can usually protect themselves by running AV programs from Malwarebytes and many other providers.

Malwarebytes recommends users to make use of web filters and antivirus software to keep their device intact from such vulnerabilities. When visitors are redirected to their mining website, they claim the mining is being done to pay for server traffic, and instructs the user to enter a CAPTCHA code.

According to the, millions of Android mobile users have been redirected to a specifically designed page "performing in-browser cryptomining". This is common in the Android ecosystem, especially with so-called "free" apps.

So far researchers have identified five different domains which all carry the same CAPTCHA code, however, each domain uses a different CoinHive site key.

A new cryptomining attack targets only Android phones, potentially because mining on phones does not give the audible cue of fans revving up as a processor is maxed out.

The average of time spent by users on this malicious site was around four minutes, but the site had over 30 million visitors per month.

"It is hard to determine how much Monero currency this operation is now yielding without knowing how many other domains (and therefore total traffic) are out there".

The MalwareBytes researchers estimate that the attack only generates a few thousand dollars worth of Monero per month, though they also note that the wildly fluctuating nature of cryptocurrency valuation could mean that the ill-gotten gains, when cashed out, may be worth significantly more. "Malware-based miners, as well as their web-based counterparts, are booming and offering online criminals new revenue sources".

The research blog also highlights that the attackers have great advantage in attacking mobile users.

Related Articles