Android mining trojan so aggressive it can break your device


As cryptocurrencies become more valuable, cybercriminals are upping their game to try to make a healthy profit out of their unwilling victims. This week, the SonicWall Capture Labs Threat Research Team has received reports of a malicious android app which turns your mobile device into a cryptocurrency mining slave.

Infection cycle:

The sample we have analyzed installed a fake security application called CM Security. It even uses the same icon as the legitimate version from Cheetah Mobile.

Upon installation it asks for admin privileges.

After being granted with the admin rights, the malicious app hides its icon from the main menu. It also makes it difficult for a standard user to uninstall this app with the option grayed out.

This app checks for the operating system build to verify whether it is being run on a virtual environment or an emulator. It checks for common emulators such as Android emulator kernel Goldfish, Genymotion and Droid4x.

With admin rights, this malware now has access to the phone’s address book and send SMS among many others.

This malware uses the wakelock mechanism to force the device to stay on while also using the keyguard service to let it lock and unlock the keyboard.

We found the following modules within the app which are related to displaying advertisements on the user’s device.

We also found modules on what appears to be how the compromised device will communicate back to a remote server and possibly how commands can be received and malicious tasks can then be carried out.

And lastly, we found this mining class from within the app. This malware used Coinhive which is a javascript miner for Monero blockchain.

It has been reported that with the aggressive mining efforts that this malware does, it puts the device under strain making it work at full load which then causes it to overheat and break the device.

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • GAV: AndroidOS.Coinminer.JS (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.