Researchers find Javascript cryptomining code in 19 Android apps

Cyber crooks are intent on hiding cryptomining code in Android apps

British cyber security researchers have discovered Javascript-based cryptomining code in 19 Android apps.

According to engineers at Sophos, cyber crooks are uploading applications infested with Coinhive script to the Google Play store without users knowing.

After conducting a malware analysis, the security bods found that hackers are hiding the JavaScript mining code in the HTML files of Android apps.

The malicious code kicks in when users click onto the app or if they use the WebView browser instance. Crooks are also ploughing this code into news reader and tutorial services.

They design these apps in a way that makes the code appear alongside benign, legitimate content. Cyber criminals can then harvest a user's smartphone CPU power to mine digital currencies, such as Bitcoin and Monero.

Sophos identified 19 apps that are using this technique, developed by four separate developers. The majority of the apps had only been downloaded by a few hundred people.

In most cases, they ranged between 100 and 500 installs. However, one of the apps (extreme.action.wwe.wrestin) was downloaded up to 500,000 times.

The crooks published these apps in Google's Play Store over the festive period, and after warning Google, the tech giant has since removed them.

The apps all used the same JavaScript mining code to trick users. In these circumstances, most users would not be able to identify the dangers of the code.

The researchers found ten other malicious apps that had hidden cryptomining code. But instead of Coinhive, they used a native cpuminer library for Bitcoin and Litcoin mining.

"Interest in cryptocurrency has grown in tandem with Bitcoin's growing value in recent months. As a result, cybercriminals are ramping up efforts to obtain digital money in dishonest ways," said Sophos.

"Though the value of various cryptocurrencies will surely fluctuate going forward, the price surge we saw late last year was dramatic enough that online thieves will continue to focus on illicit mining code, with the expectation that there will be more value spikes in the future to cash in on."

The security firm said hackers are targeting Android, in particular. "Google Play has become a favourite malware distribution point to infect smartphones with cryptocurrency miner," it claimed.

"Bitcoin-mining malware has a long history in Google Play, with the first family — Andr/LepriCon-A — appearing in 2014.