Trend Micro security experts have found a new strain of Android cryptocurrency miner called ANDROIDOS HIDDENMINER. The malware abuses device CPU to mine Monero cryptocurrency.
According to the researchers, HiddenMiner has been created for mobile devices and can bypass automated analysis by checking if it’s running in a virtualized environment by abusing an Android emulator detector found on Github.
“We uncovered a new Android malware that can surreptitiously use the infected device’s computing power to mine Monero. Trend Micro detects this as ANDROIDOS_HIDDENMINER.” the Trend Micro analysis states.
“This Monero-mining Android app’s self-protection and persistence mechanisms include hiding itself from the unwitting user and abusing the Device Administrator feature (a technique typically seen in SLockerAndroid ransomware).”
The security researchers also found the Monero mining pools and wallets connected to the HiddenMiner malware and learned that one of its operators withdrew 26 XMR (or US$5,360 as of March 26, 2018) from one of the wallets. Based on this fact, the experts believe that the malware developers are currently active.
The HiddenMiner malware abuses the device’s CPU power in order to mine Monero cryptocurrency. However, the computational effort is so important that the CPU can overheat causing the device to lock, fail, and remain permanently damaged.
“There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted.” the analysis reads.
“Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail.”
The above-mentioned behavior was already observed before, when the Loapi Monero-mining malware made the device’s battery bloat.
Similarly to the Loapi malware, HiddenMiner also locks the device screen after revoking device administration permissions.
Currently, the ANDROIDOS HIDDENMINER is being delivered via a fake Google Play update application, found by the researchers on third-party app marketplaces.
Presently, the cryptocurrency miner affects users in China and India, however, the experts fear it could attack other countries very soon.
According to the researchers, the malware creators abuse Device Administration Permission, and users can’t uninstall an active system admin package until the device administrator privileges are removed first.
The HiddenMiner’s victims cannot remove the miner from device administrator because it employs a trick to lock the device’s screen when a user wants to deactivate its device administrator privileges.
The security researchers explained that the malware exploits a vulnerability found in Android operating systems except for Nougat and the later versions.