360 Total Security Blog

25 Google Play apps are discovered to cryptojack more than 120,000 users

Google clearly stated in the Google Play Store developer rules updated on July 27 this year that it is forbidden to upload any cryptocurrency mining application to Google Play. However, the latest survey results still indicate that some developers have found the way to upload to the app store page using hiding the true purpose in apps.

In these years, due to the significant increase in cryptocurrency prices, malicious encryption mining activities have shown a rising trend on a global scale. The mobile device users have also been attacked seriously, especially the users of mainstream mobile operating systems.

Recently, at least 35 cryptocurrency mining applications were found on Google Play. It is estimated that more than 120,000 users may have downloaded and installed them. These applications are disguised as games, utilities, and educational applications by their developers, but in fact, they all embed Coinhive cryptocurrency mining code.

Coinhive is a JavaScript cryptocurrency miner for mining Monero. It is designed to use the device’s CPU for mining, not the GPU. Therefore, it is useful for hackers to mine Monero secretly on victims’ mobile devices.

Researchers say that with just a few lines of code, hackers can add mining capabilities to any application that uses the WebView embedded browser.

For all of these applications, their developers have chosen Monroe because it provides enough privacy to hide the originator and recipient of the money transaction, as well as the transaction amount. These applications all use the CPU to mine and limit CPU usage to avoid common drawbacks such as device overheating, high power consumption, and overall slow operation of the device.

Of the 25 applications, 11 are disguised as educational applications related to US exams (ACT, GRE, and SAT) and are published by the same developer account, Gadgetium. According to the researchers, these applications include an HTML page that contains a Coinhive miner.

The application firstly enables JavaScript and loads the HTML page using WebView, then uses the “miner_id” to start the miner from the wallet address retrieved from the resource. While most applications use scripts hosted on coinhive[.]com, the scripts used by two of them (co.lighton and com.mobeleader.spsapp) are hosted on their own servers.

In addition, one of the applications (de.uwepost.apaintboxforkids) uses the popular open source, CPU miner XMRig, which is designed to mine a variety of cryptocurrencies, including Monroe.

Although some of them have been deleted, there are several apps that can still be downloaded on Google Play.

A complete list of 25 mining applications (APP package names) is shown below:

com.cakrawalapengetahuan.infogurupendidikan
com.devmouakkit.mugginsdominoesgame
com.gadgetium.android.act
com.gadgetium.android.cat
com.gadgetium.android.sat
com.gadgetium.gmat
com.gadgetium.gre
com.gadgetium.lsat
com.gadgetium.psat
com.gadgetium.test.aieee
com.gadgetium.test.aiims
com.gadgetium.test.gate
com.gadgetium.test.stan
com.lhds.vendors.android
com.palpostr.palkar
com.rdt.tapbugs
com.rdt.yamaya.dreamspell
com.rlite.funnfair
com.servicehangar.seriestrailer
com.thanhtuteam.gameviet2048
de.uwepost.apaintboxforkids
com.mobeleader.spsapp
com.solovev.kghelper
com.thothprojects.trancedroid
co.lighton