Coinhive in Android apps

The malicious deployment of in-browser JavaScript-based cryptocurrency mining scripts has continued the past week, and we've seen them reach Android applications on the official Google Play Store, but we've also seen the first mass-deployment as part of a botnet of hacked WordPress sites.

While there are multiple players on the JS-based cryptocurrency mining market, Coinhive continues to remain the attackers' top choice, as we've seen this week after the launch of the WhoRunsCoinhive service.

Coinhive found in Android apps

Most desktop users already run an ad blocker or antivirus that can block these scripts. The same cannot be said for mobile devices, where most users still don't use an antivirus on a regular basis, nor do they install ad blockers in their mobile browsers.

This is why Trend Micro's discovery of two apps that deploy a Coinhive mining script is worrisome.

The two apps, now removed from the official Play Store, are named "Recitiamo Santo Rosario Free" and "SafetyNet Wireless App." Both of these apps deploy a copy of the Coinhive miner inside a hidden WebView browser.

While the user keeps the two apps open, the miner runs, forcing phone resources to work at their max and mine Monero for the apps' authors.

The problem is that the apps do not request permission to do so, and cryptocurrency mining behavior will surely lead to the device overheating, a reduced battery life, reduced performance, and a general wear and tear on the device's physical state.

Botnet of Coinhive-laden WordPress sites

Besides the malicious apps, last week, WordPress WAF providers like Sucuri and Wordfence have both sounded the alarm on an increase in hacked websites altered to deploy cryptocurrency miners, especially Coinhive variants.

The biggest such threat was a threat group detected by Sucuri that has deployed the same script on over 500 WordPress sites.

The script redirects Firefox users to a classic "font pack missing" malware distribution pages, while Chrome users received a heavily obfuscated variant of the Coinhive miner.

Other cryptocurrency mining threats

But these were not the only malware campaigns leveraging cryptocurrency mining — this year's favorite malware trend.

Trend Micro also detected another app on the official Play Store — named "Car Wallpaper HD: mercedes, ferrari, bmw and audi" — that delivered a cryptocurrency miner hidden inside its libraries. Unlike the first two apps mentioned in this article, this app didn't deploy an in-browser miner, but deployed the CpuMiner library that could work without needing a browser open.

In addition, Microsoft warned about a new in-browser cryptocurrency mining domain at 185[.]14[.]28[.]10.

But miners are not the only dangers that revolve around cryptocurrency. Also last week, ESET discovered two fake apps for the Poloniex cryptocurrency exchange.

The apps were very successful in infecting thousands of users because the Poloniex service does not provide official mobile apps, and most users took them at face value.

All cryptocurrency lovers should verify any "official" apps against the exchange's official website before installing them on their phones.