Panning for virtual gold - using other people's equipment

04/24/2018
G DATA Blog

For quite some time, criminal actors have been using mobile devices for mining, without the knowledge or consent of the user.

It is common practice in the realm of internet related crime to use other people’s device to benerate profit. The range of activities stretches from “optimizing” visitor numbers of a certain website all the way to infecting devices with ransomware. Mobile cryptomining is not a new invention that only the Bitcoin boom of late 2017 gave rise to. We have been writing about this topic as long ago as four years. It is more a matter of jumping on the band wagon to profit from the recent surge in popularity and value of those cryptocurrencies. Mining on a large scale has become a profitable affair. However, dedicated high-powered mining rigs capable of mining large amounts of virtual coins are expensive and require large quantities of electricity, which makes them unattainable for the majority of people. Following the saying that “every little drop makes a mighty ocean”, criminals try to secure their piece of the pie. To achieve this, they connect large numbers of devices in a sort of bot net and make them mine cryptocurrencies.

Threat models for mobile devices

There are various methods employed by criminals to mine as many coins as possible in the shortest possible amount of time. One of the easiest and most obvious methods is to upload a fake wallet app to an app store of their choice. When installing such an application, the user’s wallet is stolen by grabbing passwords and passphrases. In other cases, the user is asked to create a new wallet and transfer his coins there. Instead of a new wallet, the coins are then sent to the attacker’s wallet instead. In both cases, the user ends up losing his crypto money. Technically, those approaches are not more than an enhanced version of phishing (using an app instead of a website or email) as well as redirecting transactions, similar to what banking malware has been doing for a long time.

Criminals can also use manipulated apps to use other people’s devices to mine coins. There are also legitimate apps which do that, but the major difference is that in legitimate app the user consents to the mining and is informed about the actions, whereas a manipulated app does not do so. Even though an individual smartphone only has a relatively small amount of computing power, there is  strength in numbers when it comes to generating profit.  When combining hundreds or even thousands of smartphones, actors can raise a sizeable amount of computing power, without having to worry about hardware costs or electricity bills.

Mining as an alternative to adverts, paywalls and subscriptions

In light of the fact that cryptocurrencies are often talked about in connection with online crime, some people are under the impression that they as well as mining for them is illegal. This is not the case. There are legitimate uses where cryptomining is offered as an alternative to a "classic" payment model. Many magazine and newspaper publishers have a strong motivation to remain profitable in times of declining printed editions. Therefore, they offer online subscriptions, either based on a weekly or monthly basis or for a predetermined number of articles. In some cases they offer customers an "ad free" option where a customer sees either no adverts or significantly fewer. However, many are deterred by any paywalls that publishing companies put up. For this reason some website operators offer customers to pay for the content or an ad-freeexperience by sharing processor performance. for the duration of their stay on the website, the PC is used to mine a cryptocurrency such as Bitcoin or Ethereum in the background. Mining stops as soon as the user leaves the website. On mobile devices, however, this model has not seen any use yet. 

The important difference is: unlike with malware, the user has a choice and makes an informed decision about letting his or her PC mine coins in the background.

Effects and consequences

All this does not sound particularly dramatic. After all, most smartphones are not used around the clock. Often they are placed unused in bags, pockets or on a table. The only obvious consequence seems to be that the battery drains quicker. If this was the only potential effect, it would not be more than a minor nuisance. Many are not aware, though, that cryptomining, especially when done by malware, can result in permanent damage to a device. In the best case, you only have a battery that drains quicker. In a worst case scenario the battery is put under severe strain that can even lead to it bloating and destroying the device. In addition, a smartphone also experiences significant thermal stress when under permanent high load, which can have a negative impact on the device's life span.

What also should not be forgotten is the fact that you can even argue that the computing capacity from mobile devices is not high enough to actually yield any profit. The computing power required to mine polular cryptocurrencies such as Bitcoin or Ethereum is definitely beyond the capabilities of many, if not all smartphones. Older devices or lower-tier models are likely not to be usable for mining those currencies at all. Some users calculated that the annual profit (costs for electricity already factored in) from a low-end device is in the low single-digit range. Bearing this in mind, the question of which currency criminals want to mine, becomes essential. The "classic" cryptocurrencies like Bitcoin and Ethereum fall out of this equation, for the reasons outlined previously. This only leaves currencies which (as of mid-April 2018) are just getting started and are not yet widespread, such as Charnacoin. 

How smartphone users can protect themselves

Many pitfalls can easily be avoided by following a few simple guidelines:

Getting apps from official sources only can significantly increase security, because both Google and Apple monitor uploaded apps for malicious code. Suspicios apps and malware are usually removed from the official platforms relatively quickly. Third party platforms that have little or no regulation harbor a much greater risk of falling victim to a malicious app. In some Asian countries, up to every fourth app is malicious or at least questionable.

It also pays to take a look at the reviews an app has received. Criminals are of course aware of the fact that positive reviews are an important factor in a user’s decision making process for downloading an app. Therefore, many malicious apps have some positive review, even though they are pretty nondescript („Best app in the world!“).

Malicious apps are also often uploaded on multiple developer accounts. This makes an application’s logo unsuitable as an indicator for the authenticity or harmlessness of an app.
In addition to these simple steps, users should also install a security solution on their Android smartphones, such as G DATA Mobile InternetSecurity, which recently received top marks from AV-Test again.