Coinhive Cryptocurrency miner script found in apps on Google PlayStore

Coinhive’s cryptocurrency-mining script has found its way into mobile apps offered on Google Play.
Cybersecurity researchers from Trend Micro said Monday (30 October) that two malware strains were detected. These apps used dynamic JavaScript loading and native code injection to avoid detection. The detected apps dubbed as  ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER

ANDROIDOS_JSMINER: Mining via Coinhive

The first (prsolutions.rosariofacileads) is an app that is meant to help users pray the rosary, the second one (com.freemo.safetyne) allows users to “earn free Talk, Text, and Data” by racking up credits “by redeeming local coupons and deals, watching videos, taking surveys and more.”

“Both of these samples do the same thing once they are started: they will load the JavaScript library code from Coinhive and start mining with the attacker’s own site key,” Trend Micro researchers explained.

“This JavaScript code runs within the app’s webview, but this is not visible to the user because the webview is set to run in invisible mode by default.


ANDROIDOS_CPUMINER: Trojanized versions of legitimate apps

Another family of malicious apps takes legitimate versions of apps and adds mining libraries, which are then repackaged and distributed. Detected as ANDROIDOS_CPUMINER.

One version of this malware is in Google Play and disguised as a wallpaper application:

On smartphones, devices hit with the mining malware will show clear signs that something is wrong – including reduced battery functionality and slower performance.

It’s unclear how many downloads each app received, but both apps have been removed from google play store and the accounts of their developers have apparently been removed or suspended.

If after installing an App and you notice a reduction in your device performance or high battery drainage, then you definitely have to uninstall the app.

Have you had any experience, Share with us in the comment section below.
Join the discussion on Telegram 

Share this:
All content on this website is based on individual experience and journalistic research. It does not constitute financial advice. Cryptomartez is not liable for how tips are used, nor for content and services on external websites. Common sense should never be neglected!