A new Monero mining malware dubbed HiddenMiner targets Android users posing as legitimate Google Play update app.
According to researchers from Trend Micro, the malware uses device CPU power to mine Monero, and it has no switch, controller or optimizer in its code. This means the malware has the capability to mine Monero until the device’s resources are exhausted or run out of power due to overheating.
“This Monero-mining Android app’s self-protection and persistence mechanisms include hiding itself from the unwitting user and abusing the Device Administrator feature (a technique typically seen in SLockerAndroid ransomware).”
After installing, the app requires users to activate it as a device administrator and displays pop up until victims click the Activate button.
Once the permissions are granted, HiddenMiner will start mining Monero in the background until the next device boot.
HiddenMiner malware has some similarities to Loapi Monero-mining Android malware discovered recently which also uses device CPU power to mine Monero.
The malware uses several techniques to hide itself in devices, such as emptying the app label and using a transparent icon after installation. It also has anti-emulator capabilities to bypass detection and automated analysis.
HiddenMiner is spread via the third-party marketplace, and as of now the primary target of malware is users from India and China.
The attackers took advantage of a bug found in Android which restricted users to remove the administrative privileges from the app.
The flaw was fixed by Google in Nougat, and newer versions Android OS released.
“Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave. For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.”