HiddenMiner malware drains Android CPU to mine Monero

HiddenMiner Android malware already helped criminals to steal 26 Monero

Another Android virus^[1] is here, and it’s called HiddenMiner. Just like the name suggests, this malware is used for mining cryptocurrency by draining Android smartphones and tablets. Developers can already enjoy their profits: more than $5,000 worth of Monero was withdrew from one wallet.

Trend Micro researchers detected Android malware as ANDROIDOS_HIDDENMINER.^[2] It was actively spreading via third-party app stores presented as Google Play update app. The primary targets of malware were Indian and Chinese users. However, malware distribution does not have borders.

The analysis has shown that HiddenMiner malware is quite sophisticated. It can get administrator access to the device, hide in the system, and protect itself from the removal. Such functionality explains why cyber criminals already managed to mine 26 XMR, which is which is $5,360 in Monero.

HiddenMiner virus asks users to give device administrator success

HiddenMiner malware was spotted in the same place where all mobile viruses hide – third-party app stores. The malicious app was introduced as Google Play update. On the targeted device, it triggers a pop-up “com.google.android.provide” and shows legit Google Play’s icon.

The notification looks convincing, so there’s no surprise why users activate device administrator and give Android malware full access to the device. As soon as the “Activate” option is tapped, miner gets into the system.

The first task HiddenMiner does is hiding itself. It creates a transparent icon and hides the malicious application from the app launcher screen. Malware also has an anti-emulator feature which allows being undetected by antivirus.

The research has shown that miner does not have switch or controller in the code. It means that it uses smartphone’s resources until they are drained. However, a discharged battery is the least problem. The affected device can overheat, and this might lead to physical damage to an affected smartphone.

Malware locks Android’s screen to keep administrative privileges to itself

Creators of malware exploited a bug which exists in Android Marshmallow^[3] or older versions of the OS in order to stop victims from taking away administrative privileges from the malicious app. However, this flaw was fixed in Nougat^[4] and newer versions of Android OS, so malware should not be able to hijack brand new Android phones.

This Android malware is designed to lock affected device’s screen when users try to eliminate administrator rights if the malicious app. It goes without saying that virus detection and removal becomes problematic. While users try to get rid of malware, it uses smartphone’s CPU and mines Monero.

We want to remind about a necessity to take care of mobile devices. It’s time to obtain a reputable antivirus program and stop installing apps from third-party stores. Stick to Google Play store when you need to install apps and updates. However, malware might be waiting for you in the official store too. So, you have to be attentive, read user reviews and check info about the developers.^[5] Clicking “install” button might be fatal.