Millions of Android devices forced to mine Monero for crooks

Share

It's an effective campaign in part because many mobile users do not bother installing security applications that might prevent this from happening, and in many cases these devices do not have any sort of web filtering configured, either. The website boldly claimed that the user's device was infected with a software that would mine cryptocurrency, more specifically Monero (XMR) currency. Malwarebytes' blog posted a "drive-by" mining campaign that managed to redirect millions of Android phone users to a website.

If someone can control the JavaScript that the U.S. court system and thousands of other organizations load into their webpages, they can potentially exploit critical browser flaws, steal log-in credentials, and perform other malicious acts.

The malware page shows a warning message and a CAPTCHA code. Please prove that you are human by solving the captcha. The time spent before the user enters the code is the same time that the site throttles your CPU to full speed mining Monero cryptocurrency.

In general, it is a good idea to install a reputed security solution on your device to check for malicious code and behavior each and every app you download and install. Similarly, upon clicking the Continue button, users are redirected to the Google home page, another odd choice for having proved you were not a robot.

While Android users may be redirected from regular browsing, it is believed that infected apps containing ad modules are loading similar chains leading to this cryptomining page. This is unfortunately common in the Android ecosystem, especially with so-called "free" apps.

More news: Beware of romance scams this Valentine's Day
More news: European Union tells Turkey to avoid damaging actions after Cyprus ship incident
More news: Human athletes beware! Ski Robot Challenge held in South Korea

"It's possible that this particular campaign is going after low quality traffic-but not necessarily bots -and rather than serving typical ads that might be wasted, they chose to make a profit using a browser-based Monero miner", they noted.

In the recent research, Malwarebytes found five domains using the same captcha and Coin hive site keys being used for the mining campaign. This confirmed our suspicions that the majority of traffic came via mobile and spiked in January. It was estimated that the five domains generate almost 800,000 visits on a daily basis, with visitors spending four minutes on the average on the site. However weak its processing power is, it still costs them nothing.

It is hard to determine how much Monero currency this operation is now yielding without knowing how many other domains (and therefore total traffic) are out there.

The average time spent on the sites was around four minutes, so when combined with the number of visits, it's estimated that a few thousand dollars of Monero were generate on a monthly basis; not a stellar number but still a decent earner when it's someone else doing the work.

Share