Android devices are being targeted for mining Monero through forced redirects and rogue ad networks, which could make it difficult for Google to stop the attacks.
- A new cryptomining attack targets only Android phones, potentially because mining on phones does not give the audible cue of fans revving up as a processor is maxed out.
- As the attack is propagated through the web, the potential for Google to detect and ban offending APKs using code audits seems remote.
A series of related web pages have been targeting Android devices for mining the Monero cryptocurrency since at least November 2017. While this attack occurs over the web—not in malware distributed in an APK—the attack and associated mining script can seemingly be invoked as part of advertising modules in free mobile apps.
The attack, discovered by MalwareBytes researcher Jérôme Segura, was found while researching the EITest malware family. While the associated domains display information relating to a standard technical support scam when viewed on Internet Explorer or Chrome, the Monero mining attack is presented through a series of redirects when "Android" is present in the browser user-agent, according to the MalwareBytes blog.
Compared to drive-by mining attacks targeting desktop or notebook computers, mining cryptocurrencies on mobile devices would theoretically be slower, as mobile SoCs are less capable of the number crunching required for mining. However, the telltale signs that mining has started is also less obvious, as the often jet-like sound of computer fans spinning at maximum speed as a desktop or laptop processor is driven to 100% obviously does not occur on smartphones.
The attack in question displays an ominous warning that "your device is showing suspicious surfing behavior," indicating to the user that the device will begin mining cryptocurrency "in order to recover server costs incurred by bot traffic" until the user solves a CAPTCHA to prove they are not a bot, the post said. Oddly, the CAPTCHA answer ("w3FaSO5R") is hardcoded in the webpage. After submitting the answer, the script redirects the user to the Google homepage.
The MalwareBytes researchers estimate that the attack only generates a few thousand dollars worth of Monero per month, though they also note that the wildly fluctuating nature of cryptocurrency valuation could mean that the ill-gotten gains, when cashed out, may be worth significantly more.
Presently, the Opera web browser has blocked mining scripts from running, but other browser vendors have yet to follow suit. Because this attack is propagated through the web, the potential for Google to ban offending APKs from the Play Store using code audits seems remote.