Hundreds of fake Android apps have a hidden Coinhive miner
The Bitcoin bubble means there is a massive interest in cryptocurrencies, particularly from those looking for an easy way to make a quick buck. It's also led to secretive mining tools making use of people's CPUs without their knowledge, mining for profitable cryptocurrency for persons unknown.
We've seen this with both websites and browser extensions, and now a security researcher has discovered a series of fake Android apps harboring an undisclosed Coinhive cryptocurrency miner. The repackaged APKs take advantage of the CPUs of the smartphones the apps are installed on.
- BlackBerry Mobile site hacked to run Monero cryptocurrency miner
- SafeBrowse Chrome extension found to be secretly mining for cryptocurrency
- The Pirate Bay is secretly running a Bitcoin miner in the background, increasing your CPU usage
Robert Baptiste -- who operates under the name Elliot Anderson -- analyzed a series of Android apps that had been made available on third-party sites. After running the APKs through a scanner, it was easy to see that a large number of the apps -- all of which were downloaded from androidapk.world -- were laced with a Coinhive miner.
Speaking to HackRead, Baptiste says:
I don’t think these apps are the original apps. The "hacker" modified it and repacked it and after that, he uses multiple dropper apps to distribute these modified apps. Only the package name and the app name has been changed and I just dig up more and in fact, this is the same app 291 times which means there are 291 applications with different icons and names
On Twitter he wrote:
I was bored in the plane, so I made some scripts and reversed the 291 apps, here some facts:
- The key 6GlWvU4BbBgzJ3wzL3mkJEVazCxxIHjF is used 287 times
- These 291 apps are the same apps. The code is identical only the app name, icon and package name is different
— Elliot Alderson (@fs0c131y) January 7, 2018
The findings highlight the importance of only installing apps from Google Play or other reputable sources.