Sudden surge in Android miner malware observed


Sonicwall Threats Research team observed a sudden spike in Android apps with hidden crypto miner functionality. Such apps masquerade themselves as legitimate apps – such as games, music or video apps but in the background they start mining cryptocurrency using the resources of the infected victim’s hardware.

Malicious Android apps with mining capability have been existing already but we saw a sudden surge in such apps on January 8, 2018. With the recent popularity of crypto-currencies like Bitcoin, Ethereum and Ripple the rise in such malware apps is not surprising.

Infection Cycle

The only permission are requested by the app is the ability to access the Internet. This permission is an extremely common permission that is used by most of the Android apps. Thus on the basis of permissions alone it is difficult to flag this app as malicious.

Crypto Mining

The cryptocurrency mining script resides in the Assets folder as engine.html. This script contains the functions to start and stop the mining:

The app starts a service – CoinHiveIntentService – which monitors, starts and stops the crypto-mining on the infected device.

Malware installer

One of the links that is are displayed on the app after startup is a redirector to install more malicious apps:

As shown above, this site is already being flagged as malicious.

We observed a sharp rise in miner samples on January 8, 2018. The following are common among these samples:

  • The code structure
  • Certificate thumbprint/serial number
  • Miner service – CoinHiveIntentService
  • Hardcoded domain – hxxp://

Sonicwall Capture Labs provides protection against this threat with the following signatures:

  • GAV: AndroidOS.MoneroMiner.MNR (Trojan)
  • GAV: AndroidOS.CoinHack.MNR (Trojan)

Few Android samples that we observed as part of the surge:

  • com.gamehivecorp.kicktheboss2r.hack.apk
  • com.bennettracingsimulations.dirttrackin.hack
  • com.astragon.cs2014.hack
  • com.aspyr.swkotor.hack
  • com.and.games505.TerrariaPaid.hack
  • com.activision.boz.hack
  • com.abtnprojects.ambatana.hack

Update 1

Once the miner app starts, the CPU usage on the device increases almost reaching 100% utilization. This app however did not heat up the phone similar to another mining app that we covered earlier.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.