Gabriel Cirlig
Sr. Software Engineer
Blog

Everything's Better with Blockchain

November 8, 2017 by Gabriel Cirlig

With the recent advent of crypto-coin miners, our mobile devices couldn’t have been ignored by cyber-criminals. There’s a plethora of malicious Android apps roaming around the Internet right now. Some of these malicious miners even managed to bypass filters and get into the Google Play Store, the official app marketplace for the Android ecosystem.

After triggering several YARA rules for Android coin miners, one particular sample caught our eye. 6f14b49cc12a3d2e6bcb38ec92f89627f17e072b had low detection rate among antivirus engines and its source code was completely unobfuscated.

Static analysis on this mobile malware sample led us to a number of crypto-currency wallets and mining pool accounts belonging to the malware author. Various coins were being mined from thousands of infected Android mobile phones, indicating a relatively high degree of activity.

nextgen-monetization1.jpg

Android cryptocoin mining malware can be quite lucrative for cyber-criminals. Total profits earned on one specific Magicoin wallet: 4929 XMG = over $1150 USD at current exchange rates (see above screenshots).

Out of all the hardcoded mining pool credentials we found inside this malware, one was particularly interesting. Mining pools usually just require a wallet address for authenticating miners, but this pool used a username instead:

nextgen-monetization2.jpg

Armed with this knowledge and some Google search kung-foo, we found some forum posts related to the username oxothuk. His philosophy when it comes to crypto-coin mining denotes a certain lack of ethics:

nextgen-monetization3.jpg

“I have not pay(ed) for electricity, and every end point device is lowpowered” “It is like botnet, but fully legal”

Among some other uninteresting forum ramblings, we stumbled upon a thread in which the miner discusses with other developers the validity of doing crypto-currency mining work on the phones belonging to his legit app users:

nextgen-monetization4.jpg

Looks like somebody is doing some next-gen monetization right here. This interesting application was found in a third-party mobile app store, uploaded by the same username:

nextgen-monetization5.jpg

The Android app with SHA 7b5c71677646f0e5cc2f9c9374f8ea5d7fc487c4 is detected by most antivirus engines on VirusTotal as a crypto-coin miner. Upon further inspection of the APK, we found a small miner embedded inside it, which led our investigation further - to the actual Play Store.

On the store, the miner disguises itself as a crossword puzzle app bundled together with IAP and ads:

nextgen-monetization6.jpg

Curiously enough, the application has a really high number of installs:

nextgen-monetization7.jpg

After installing the app and decompiling it, the same miner was present as well on an application straight from the store:

nextgen-monetization8.jpg

Wallets are pushed via Google’s firebase remote config API, unlike the previous miner, with an emergency wallet hardcoded in the source:

nextgen-monetization9.jpg

echo bmVvc2NyeXB0Lm1pbmUuenBvb2wuY2F+NDIzM34zSHpGZlhrWXVOZUVxQmNnN01tRUJRN0sxallTaXVhMUptfmQ9MC4wMDAxfjF+MH5kMWE5MDg4ZTlhODk= | base64 --decode

yields

neoscrypt.mine.zpool.ca~4233~3HzFfXkYuNeEqBcg7MmEBQ7K1jYSiua1Jm~d=0.0001~1~0~d1a9088e9a89

The emergency mining address is the same as the one previously encountered in the standalone APK that only did the mining, 3HzFfXkYuNeEqBcg7MmEBQ7K1jYSiua1Jm. What we can deduce is that the developer embedded a miner inside the game as an alternative means of obtaining ingame currency (which is enabled by default). Mining was only done at night and only when the phone was plugged in:

nextgen-monetization10.jpg

Upon actually running the app, we’ve noticed that mining was controlled from a setting inside the game (but was turned on by default), which allowed the user to mine for the owner of the game in exchange for virtual ingame currency. The game even informs you that it will use the phone’s idle time to generate coins for you (nothing mentioned about the user making cash off you though). Unfortunately, most of the users are uneducated about what this means (hogging CPU resources, thermal problems to which some are subjected, and so on).

Moving forward, we found another app with the same issue from the same developer (although on a different Google Play store account):

nextgen-monetization11.jpg

The app has the same high number of installs (if not more) as the previous one:

nextgen-monetization12.jpg

We also noticed that both apps were updated at around the same timeframe. Decompiling it yields the same miner as before, with the same in-game setting for disabling mining (no more in-game coins for you if you do that though!).

nextgen-monetization13.jpg

The intensity for the mining is controlled inside the KGWorkingService class, just as in the previous app.

nextgen-monetization14.jpg

However, when opening this app - we don’t see the same disclaimer as we did with the crossword puzzle game. Crypto-currency mining is activated by default on setting #2, without the user even realizing this.

Conclusion

While the maliciousness of these kind of mobile apps is a long subject to debate, we can say for sure that we’re witnessing the birth of the next generation of adware software. Thousands of users are actively mining for the personal profit of app’s creator. Sometimes, the mining “feature” is only pushed to the user after an update. This makes you wonder what an actual malicious actor could push if it were to compromise the codebase of a major developer on the games/app market.

nextgen-monetization15.jpg

When blockchain-based technologies are being discussed in the public space as a solution for everything, Bitcoin and other crypto-currencies can no longer be ignored. While the regular Internet users might need some time to adopt such technologies, cyber-criminals are always very agile when it comes to following new trends - as long as they can make a profit from them.

As mobile devices continuously evolve, they become more and more interesting targets for malicious actors. Mobile malware has historically lagged a few years behind traditional PC malware, but it always follows the same trend. Right now, crypto-coin miners have reached the mobile era - and they are here to stay. As manufacturers continue to add more CPU cores and gigabytes of RAM to our smartphones and tablets, these devices will continue to be an increasingly lucrative target for cyber-criminals. --In the meantime, we notified Google about the developer and a possible breach in the EULA.

UPDATE: On November 6th, right before we wanted to go live with this blogpost, the developer removed the cryptocurrency mining bit and exported it as a separate application on the Google Play Store. However, it is still being branded as a “coin earning module” and you have to dig a bit around to find out it's mining crypto-currency on your device for the developer, while you just earn in-game coins.

The app looks like this in the Play Store:

16

The actual description:

“The application is intended for earning game awards and bonuses in various applications. The application uses the crypto currency code that the application developer receives, giving players in exchange game bonuses.

How to use: Run the application, enable the application for which you need to earn bonuses. Now the app can be closed. When you put the phone on charge and it is fully charged, the award earning will begin. The next time you start the game - you will be awarded the due reward.

The player's device is used only at the moment when connected to the charging, fully charged and not used. Do not discharge or overheat the device.

Thus, without spending money, the player receives bonuses, and the developer earns on mutually beneficial terms.

Note: Some antivirus programs may issue a warning about bitcoinminer or not a virus. The application does not contain any malicious code, except for the actual miner, which the antivirus warns about.”

Nowhere does it actually say that you have to mine for that user in particular, just some passing references about “bitcoin miners” and “crypto currency code”.

‘Member the toolbars that improved your internet experience?

17

Well this is going be your mobile phone in the future if you’re not careful about what you’re going to install.

18

UPDATE2: We just confirmed (and double checked) that the developer we talk about in this blogpost is the same one that TrendLabs is talking about in their blogpost from one week ago: http://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/

It seems this developer is trying various ways to include crypto-currency miners in his Android apps – some ways more covert, some more over. He essentially was forced to move from distributing Android crypto-coin mining malware to what he’s doing now - which is to deceive his trusted users. He has updated his most popular app (5-10 million total installs) to deceive users into installing his miner, tricking them to earn “in-game coins” while he earns the crypto-coin mining revenues. We can say that crypto-coin miners for mobile phones are the new adware – helping unethical developers monetize their free apps while blatantly deceiving their users.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.