JavaScript Cryptomining Scripts Discovered in 19 Google Play Apps

There doesn't appear to be an end in sight for the cryptojacking scourge affecting all facets of the web right now.

If you're not bored already of reading yet another incident where miscreants deployed the Coinhive in-browser script to mine Monero behind users' backs, then this article might interest you.

Coinhive found inside Play Store apps

Our article is based on a 13-page report published last week by UK cyber-security firm Sophos. According to the company, its engineers discovered 19 Android applications that were uploaded and made available through the official Google Play Store.

Sophos says these apps were secretly loading an instance of the Coinhive script without user knowledge.

An analysis of the malicious apps revealed that app authors —believed to be the same person/group— hid the Coinhive JavaScript mining code inside HTML files in the apps' /assets folder.

The malicious code executed when the user started the apps and the apps opened a WebView (Android stripped-down) browser instance.

In some cases, if the apps did not justify opening a browser window, the WebView component was hidden from view and the mining code ran in the background.

In other instances, where the app was a news reader or tutorial viewer, the Coinhive in-browser JavaScript mining code ran along the app's legitimate content while the user was using the app.

One app had over 100,000 users

Sophos discovered this technique with 19 apps published via four developer accounts. Most apps barely made it to 100-500 installs, but one app (extreme.action.wwe.wrestin) was installed on between 100,000 and 500,000 devices.

The apps were uploaded on the Play Store around Christmas and Sophos researchers reported all apps to Google. All have been removed from the official Play Store at the time of writing.

A list of all the 19 Coinhive-laden apps is available on page 7 of the Sophos report, and users can review the list and see if they installed any of the apps on their devices.

Sophos identified 10 other apps performing hidden mining

On page 10, there's another list of malicious apps, but these did not load the Coinhive JavaScript miner but instead embedded the native cpuminer library for mining Bitcoin and Litecoin.

Sophos dubbed this malware CoinMiner and says it found it embedded in 10 apps made available through the coandroid.ru website, a third-party Android app store.

The danger of cryptojacking to mobile devices

While many news sites are oversaturated with articles about illegal cryptocurrency mining, users should be aware that mining cryptocurrency on their smartphone may permanently damage the device, as Kaspersky researchers proved last month when they discovered the Loapi Android malware.

But users don't have to install malware-laced apps on their devices to be affected. Yesterday, security researchers from Malwarebytes announced they discovered a malvertising campaign that targets Internet users utilizing Android mobile browsers.

The campaign used malicious code hidden in ads to redirect users to sites where crooks were mining Monero (via Coinhive) while the user was trying to solve a CAPTCHA field. The user didn't have to install an app to be affected, and just surfing the web was enough to be affected.

While desktop computers may stand the hardware stress that comes with cryptocurrency mining, mobile devices such as smartphones and tablets are more fragile and may risk permanent damage, especially to their batteries, which could overheat and deform.