Two-dozen Android apps recently made it into Google Play with code that turns users' phones into cryptocurrency mining workers. Some of them target users in the US by using the guise of educational tools.

Combined, they have been downloaded more than 120,000 times, according to estimations from security researchers at Sophos.

Dev limits CPU usage to hide mining operation

Their guise varies from games and utilities to educational applications, but the one thing they have in common is thee Coinhive cryptocurrency mining code that uses the device's CPU to mint Monero (XMR).

Almost half the apps have been published under the same developer account and lured consumers in the US under the pretense of tools that help the user prepare for various standardized tests, like SAT, ACT or GRE.

The researchers found that they included an HTML page with the Coinhive miner, loaded via the WebView component. Two of them hosted the mining scripts on their own servers, an unusual choice considering that most of the times miners use Coinhive as the host.

Monero is the digital coin of choice in cryptojacking campaigns because it uses an obfuscated public ledger designed to mask the source, amount and destination of a transaction.

Two of the apps discovered by Sophos embedded the open-source mining tool XMRig, which can use the CPU cycles to mint other cryptocurrencies than Monero, such as Aeon, Sumokoin, and Turtlecoin.

The developer(s) of all 25 apps analyzed by the researchers wanted their mining operation to survive as long as possible; to this end, they limited CPU usage of the apps so that they do not cause overheating of the device, quick battery discharge and slowing down the phone.

Not all offensive apps have been eliminated

Sophos says that Google took action and deleted some of the offensive apps from Android's official store, but warns that many others are still present.

The nature of the apps is not downright malicious, but they do infringe the Google Play Developer Policy on unauthorized use or imitation of system functionality.

Although curated, Google's marketplace for Android continues to present risks. Malicious or offensive entries are most of the times removed quickly often before they cause any harm.

Sometimes, though, Android app authors may be successful and cause damage to users. BleepingComputer reported this week such an incident, where a Trojanized app managed to steal over 10,000 euros from Android users' accounts.

Related Articles:

Make-A-Wish Website Compromised for Cryptojacking Operation

Misconfigured Docker Services Actively Exploited in Cryptojacking Operation

Android Malware Tricks User to Log into PayPal to Steal Funds

Google Maps Users are Receiving Notification Spam and No One Knows Why

New KingMiner Threat Shows Cryptominer Evolution