KageCoin Malware Shows Up in Google Play, Ready to Hijack Phones for Mining

Currency mining is a resource-intensive process of using specialized software to basically listen for currency transactions broadcast through the peer-to-peer network; it then performs appropriate tasks to process and confirm these transactions. It’s all legal, and necessary for Bitcoin and the rest to function. But miners perform the work because they can earn transaction fees paid by users for faster transaction processing, and they also gain newly created coins issued into existence according to a fixed formula. Mining takes up a vast amount of CPU processor power, energy and, at scale, bandwidth. So, there’s an incentive to abuse the system by enlisting unsuspecting machines into performing the work.

In this case, malware authors are targeting unwitting Android aficionados. It has real consequences for users: shorter battery life, increased wear and tear, all of which could lead to a shorter device lifespan. Users will notice telltale signs that something’s not right, like slow charging, excessively hot phones or faster-than-usual battery drains—but may not realize what the issue is.

The researchers at Trend Micro said that KageCoin was originally included in repacked copies of popular apps such as Football Manager Handheld and TuneIn Radio. The apps were injected with the CPU mining code from a legitimate Android cryptocurrency mining app known as cpuminer software.

“To hide the malicious code, the cybercriminal modified the Google Mobile Ads portion of the app,” the firm said in an analysis. “The miner is started as a background service once it detects that the affected device is connected to the Internet. By default, it launches the CPU miner to connect to a dynamic domain, which then redirects to an anonymous mining pool.

Those original apps were found outside of the Google Play store, but Trend Micro has found a code variant in official apps within the store--apps that have been downloaded by millions of users. It’s called KageCoin HBTB.

“Analyzing the code of these apps reveals the cryptocurrency mining code inside,” researchers noted. “Unlike the other malicious apps, in these cases the mining only occurs when the device is charging, as the increased energy usage won’t be noticed as much.”

It added, “Reading their app description and terms and conditions on the websites of these apps, users may not know that their devices may potentially be used as mining devices due to the murky language and vague terminology.”

While Trend Micro noted that phones do not have sufficient performance to serve as effective miners—“Yes, they can gain money this way, but at a glacial pace”—the fact remains that at a scale of millions of devices, it’s likely the malware purveyor has been fairly successful.

By February 17, the network of mobile miners has earned the author thousands of Dogecoins, for instance. After February 17, the cybercriminal changed mining pools, now connecting to the WafflePool mining pool. “The Bitcoins mined have been paid out (i.e., transferred to the cybercriminal’s wallet) several times,” Trend Micro said.

It all goes to how that just because an app has been downloaded from a legitimate app store – even Google Play – does not mean it is safe.

Trend Micro said that it has informed the Google Play security team about the issue. In the meantime, users should be on the lookout for unusual hardware behavior.


What’s Hot on Infosecurity Magazine?