Two Google Play Apps, Songs and Prized, Install Cryptocurrency Mining Code on Over 1 Million Android Phones

Two programs on Android app marketplace Google Play, Songs and Prized, were found to be infected with the malicious cryptocurrency mining code ANDROIDOS_KAGECOIN.HBTB, based on the well-known software cpuminer. This code connects unwitting victim’s phones to a pool of high-end machine processors and runs in the background to mine Litecoin and Dogecoin and create new e-coins.

These two apps were popular, especially Songs, which was downloaded by 1,000,000 to 5,000,000 people. Prized was downloaded by 10,000 to 50,000 people, so as many as 5,050,000 smartphones had this malware installed.

Armed with the knowledge that no one actually reads the lengthy “Terms and Conditions” agreements that must be accepted before installing an app, the agreements for the apps Songs and Prized included some vague language referencing the mining practices. Technically, users who purchased these apps gave consent for their processing time to be used to mine e-coins, but other than these spare and intentionally muddled references in the agreements, there was no reason for users of Songs and Prized to suspect the apps were also being used to mine e-coins.

The breach was discovered on Tuesday, March 25th by Veo Zhang, a security threat analyst for Trend Micro. He stated: “These apps have been downloaded by millions of users, which means that there may be many Android devices out there being used to mine cryptocurrency for cybercriminals. Analyzing the code of these apps reveals the cryptocurrency mining code inside.”

The processes involved with data mining are intensive and will noticeably drain your phone’s battery. To stay covert, the developers of ANDROIDOS_KAGECOIN.HBTB set it up so that data is only mined while your phone is charging. But even while being charged, your phone will begin to overheat when the mining code is in use, so this is one way to tell if this malware is installed on your phone.

It is worth noting that Trend Micro, the website that popularized this story, sells security software for Android phones. This represents an obvious conflict of interest in their reporting of the story, but the fact remains that two apps that made it into the Google Play marketplace bought with it malicious software.

You may also like...


Warning: Illegal string offset 'headers' in /var/www/androidhut/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 584

Fatal error: Uncaught Error: Cannot use string offset as an array in /var/www/androidhut/wp-content/plugins/wp-super-cache/wp-cache-phase2.php:584 Stack trace: #0 /var/www/androidhut/wp-content/plugins/wp-super-cache/wp-cache-phase2.php(313): wp_cache_get_ob('<!DOCTYPE html>...') #1 [internal function]: wp_cache_ob_callback('<!DOCTYPE html>...', 9) #2 /var/www/androidhut/wp-includes/functions.php(3743): ob_end_flush() #3 /var/www/androidhut/wp-includes/class-wp-hook.php(286): wp_ob_end_flush_all('') #4 /var/www/androidhut/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters('', Array) #5 /var/www/androidhut/wp-includes/plugin.php(453): WP_Hook->do_action(Array) #6 /var/www/androidhut/wp-includes/load.php(679): do_action('shutdown') #7 [internal function]: shutdown_action_hook() #8 {main} thrown in /var/www/androidhut/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 584