While many news sites are oversaturated with articles about illegal cryptocurrency mining, users should be aware that mining cryptocurrency on their smartphone may permanently damage the device, as Kaspersky researchers proved last month when they discovered the Loapi Android malware.
But users don't have to install malware-laced apps on their devices to be affected. Yesterday, security researchers from Malwarebytes announced they discovered a malvertising campaign that targets Internet users utilizing Android mobile browsers.
New Monero mining malware discovered in Google Play
In November 2017, we detected a strain of malware known as JSMiner in Google Play. The Monero cryptomining capabilities were discovered inside the gaming application Cooee. At the time of discovery, we forecasted a rise in mobile mining malware as attackers shift their attention from PC to mobile. And this week, we identified two more cryptomining apps in Google Play: SP Browser and Mr. MineRusher with a combined subscriber base in the thousands.
The IT security researchers at Trend Micro have discovered a sophisticated Moreno mining malware targeting Android users in the name of fake Google Play update. As of now, its prime targets are users in China and India since third-party apps are popular in both countries.
Dubbed HiddenMiner by researchers the malware hides behind a legitimate looking Google Play update app. Once the app is installed it requires users to activate it as a device administrator and displays persistent pop-ups until victims click the Activate button.
Quite recently we had heard of a couple of cryptocurrency mining malware apps targetting Android users. Now, here comes the news about some other such malware having targeted Android devices. Researchers have found three apps infected with cryptocurrency malware on Google Play Store and used to generate Monero coins.
To avoid falling victim to crypto mining, Sophos recommends avoiding installing apps from third-party app stores and, because some malware evidently manages to slip through the net on the Play Store, it also advises installing its own Mobile Security app for extra protection.
Recently, a crypto mining malware which was disguised as a Google Translate app, has been foraying into thousands of computers. According to a study by Check Point Research (CPR), this malware called the Nitokod" has been developed by a Turkey based entity as a desktop application for Google Translate.
After the downloading of this malicious app, the malware installation process is triggered via a scheduled task mechanism. Later, this harmful malware puts in place a sophisticated mining setup for the Monero cryptocurrency based on the energy-intensive proof of work mining model. As a consequence, it provides the controller of this campaign, hidden access to the infected computers to scam users and later damage the systems.
Reportedly, till now machines across at least 11 nations have been compromised via Nitrokod malware that was circulated from 2019. CPR has also posted updates and alerts about the crypto mining campaign on Twitter.
To recall, in a similar move earlier this year, Joker malware infected 50 apps on the Google Play Store, according to Zscaler Threatlabz. Google swiftly removed them from its app store. The Joker, Facestealer, and Coper malware families were found to be spreading through apps, according to the Zscaler ThreatLabz team. The malicious apps were swiftly deleted from the Google Play Store when the ThreatLabz team immediately alerted the Google Android Security team of these newly discovered dangers.
This blog post discusses the various trends that we have been observing related to cryptojacking activity, including cryptojacking modules being added to popular malware families, an increase in drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, cryptojacking as a threat to critical infrastructure, and observed distribution mechanisms.
As transactions occur on a blockchain, those transactions must be validated and propagated across the network. As computers connected to the blockchain network (aka nodes) validate and propagate the transactions across the network, the miners include those transactions into "blocks" so that they can be added onto the chain. Each block is cryptographically hashed, and must include the hash of the previous block, thus forming the "chain" in blockchain. In order for miners to compute the complex hashing of each valid block, they must use a machine's computational resources. The more blocks that are mined, the more resource-intensive solving the hash becomes. To overcome this, and accelerate the mining process, many miners will join collections of computers called "pools" that work together to calculate the block hashes. The more computational resources a pool harnesses, the greater the pool's chance of mining a new block. When a new block is mined, the pool's participants are rewarded with coins. Figure 1 illustrates the roles miners play in the blockchain network.
Cryptojacking can also highlight often overlooked security holes in a company's network. Organizations infected with cryptomining malware are also likely vulnerable to more severe exploits and attacks, ranging from ransomware to ICS-specific malware such as TRITON.
FireEye iSIGHT Intelligence has observed several cryptocurrency miners distributed via spam campaigns, which is a commonly used tactic to indiscriminately distribute malware. We expect malicious actors will continue to use this method to disseminate cryptojacking code as for long as cryptocurrency mining remains profitable.
Following the WannaCry attacks, actors began to increasingly incorporate self-propagating functionality within their malware. Some of the observed self-spreading techniques have included copying to removable drives, brute forcing SSH logins, and leveraging the leaked NSA exploit EternalBlue. Cryptocurrency mining operations significantly benefit from this functionality since wider distribution of the malware multiplies the amount of CPU resources available to them for mining. Consequently, we expect that additional actors will continue to develop this capability.
Based on data from FireEye detection technologies, the detection of cryptocurrency miner malware has increased significantly since the beginning of 2018 (Figure 10), with the most popular mining pools being minergate and nanopool (Figure 11), and the most heavily affected country being the U.S. (Figure 12). Consistent with other reporting, the education sector remains most affected, likely due to more relaxed security controls across university networks and students taking advantage of free electricity to mine cryptocurrencies (Figure 13).
In 2017, scammers developed an app that contained mining malware. They released this app to Google Play Store. Cybercriminals launched a fake Cooee game to mislead users. The app had malware that used mobile hardware to mine Monero in the background.
Researchers from Kaspersky Labs recently identified a new malware strain called Loapi which is capable of damaging the hardware of mobile phones. Derived from Podec, an older malware strain discovered in 2015, Loapi downloads a Monero miner onto the mobile device which overworks and overheats its components. 2ff7e9595c
Comments