Android Mining Trojans Report: Monero Mostly Favored

360 Security release a report about mining trojans on Android platform. Among the 5 cryptocurrencies being targeted, Monero is the most popular one.

Mobile mining Trojan is the application that uses mobile phone computing power to obtain cryptocurrency for the attacker without the user’s consent.
Cryptocurrency is an anonymous virtual currency. Due to its censorship-proof, semi-anonymous and intractable features, cryptocurrencies are often used for illegal transactions, or tools to conceal criminal conducts.
In March 2014 the first Android mining trojan was detected. From 2013 to January 2018, 360 Labs captured a total of more than 1,200 mining Trojan based on Android, around 400 of which emerge in January 2018 alone.

In terms of disguised forms, tools (20%), downloader (17%), wallpaper (14%) are the most commonly seen applications.
In terms of distribution sources, a dozen were found in Google play and more than 300 are distributed through third-party sites with a total download count of 2.6 million.

According to Adguard, in nearly 1 month in 2017, around 220 out of the top 100,000 Alexa-ranking websites failed to remind users that their computers were exploited for mining when users open their homepages. The number of affected users the number is up to 500 million. Most of them are video portals, file sharing sites, pornographic websites, news media and other websites that users tend to stay longer.

Five cryptocurrencies are mined on Android Trojan applications: Bitcoin, Litecoin, Dogecoin, Casinocoin and Monero.
Pool-mining are mostly adopted on Android Trojan rather than solo mining. Most android Trojan adopt open source pool-mining code or browser-based JavaScript.

Techniques include detecting device power, wake-up status, charge status, setting invisible pages and fake app downloader.
Profit model shifts from advertising to mining. Monroe become the preferred cryptocurrency and the target of the attack shift from attacking wallet to mining through android trojan.
PC platform already has counter measures while mobile platform cannot defend trojan comprehensively due to authority control.

Mobile platform mining is restricted by battery capacity and processor capacity. But cryptocurrencies are rapidly growing, new cryptos and values are increasing and mining eventually become profitable.
Such new profit model is still in its infancy, which requires more regulation to prevent it from being exploited.

Cypto Mining is the nickname for acquiring cryptocurrencies such as bitcoin. Because of its working principle is very similar to the mining of minerals, hence the name.
Mobile mining Trojan horse is the application that runs on mobile phone, consuming computing power to acquire cryptocurrency for the attacker without the user’s knowledge.

Cryptocurrency is an anonymous virtual currency. It is not distributed through any legal entities or controlled by central banks. The transaction is processed in the global network with special secrecy. Coupled with not having to go through third-party financial institutions, cryptocurrency gets more and more widely used.
Due to the features like censorship-resistant, semi-anonymous and intractability, cryptocurrencies are often used for illegal transactions as well as criminal tools or as tools to conceal criminal proceeds. The ransomware represented by WannaCry uses bitcoin as a payment method.

Bitcoin became the first decentralized cryptocurrency in 2009, and is now the dominant cryptocurrency with the highest creditability and market value.


Fig 1: Bitcoin price chart from April 2014 to January 2018

In 2017, the price of bitcoin rose by 1500%. One single bitcoin worth around 20,000 USD at its peak. What’s coming along is the escalation of android Trojan attack.
3. The evolution of Mobile Trojan Horse

The earliest mining trojan was first discovered on PC in 2013 while the first mobile mining Trojan CoinKrypt [2] was first exposed by foreign security vendors in March 2014. After a while of absence, malware creators turned to mining again with the rising price of cryptocurrency. Mobile Trojans attacks is bound to trend again.

Figure 2 The evolution of Android mining trojans

Mar 2014 Android.Coinkrypt, the first mining Trojan on Android.
Apr 2014 Android. BadLepricon [3], Discover a mobile phone mining Trojan on Google Play.
May 2014 Android. Widdit [4], the first mining trojan to use the Android SDK.
October 2017 Android.JsMiner [5], the first mining Trojan to load JavaScript.
October 2017 Android.CpuMiner [6], the first mining Trojan to use the cpuminer library.
December 2017 Android.PickBitPocket [7], a fraud program disguised as a Bitcoin wallet.
December 2017 Android.Loapi [8], a mining trojan with a complex and modular architecture.
January 2018 Android.Hackword [9], the first Trojan to use the Coinhive Android SDK.
Chapter 2 Status of Android Trojan
2.1 Scale and Impact

From 2013 to January 2018, 360 flames laboratory captured a total of more than 1200 Android mining Trojans, of which around 400 were detected in January 2018 alone, accounting for one third of all Android platform mining Trojans.

After a brief outbreak in 2014, Android Mining Trojan gradually became quiet in 2015 and 2016. The main reason is technical limitation at that time and the dropping crypto price. It’s not worthwhile. However, with the rise of the cryptocurrency at the end of 2017 and the maturity of mining technology, mobile Trojan once again becomes the target of Trojan creators. The outcome is the sudden outbreak of mobile mining Trojans.

Fig 3 Android mining Trojans disguised as all kinds of apps: tools (20%), downloader (17%), wallpaper (14%) is the most common types.

Fig 4 Android Trojans detected from 2013-2018 January

From the sample source, in addition to a dozen of mining Trojans found in Google play, we captured more than 300 trojans in a third-party download site and estimated total number of downloads up to 2.6 million times based on the webpage statistics.

Fig 5 Mining Trojans on third-party downloading site

According to Adguard data [10], in the nearly one month in 2017, around 220 of the top 100,000 Alexa-ranking sites are using the user computer for mining without notifying users. Up to 500 million people are affected.

Figure 6 Adguard survey data for a month

These websites are from the United States, India, Russia, China, Brazil, China and other countries.

Fig 7 Ratio of website location

Most of these websites are video portal, file sharing, adult and media outlets.

Fig 8 Categories of websites

2.2 Targeted Cryptocurrency

Targeted cryptocurrencies changes with network difficulty and price fluctuation. The top 5 are Bitcoin, Litecoin, Dogecoin, Casinocoin and Monero.

Fig 9 Crypto comparison chart

Chapter 3 Mining method and profit distribution
There are pooled mining and solo mining. Bitcoin is taken as example to illustrate the difference between these two different methods.
3.1 Solo mining

Solo mining is a solo process where the miner completely does his task of computing operations with solo possession of any income generated.

Figure 10 Solo mining process

Bitcoin generates one block every ten minutes on average. As the vast number of participating miners, solo mining may yield zero block in one year. And the computing power of mobile phones is even more limited compared to other mining equipment. So far no mining Trojans that adopts solo mining are detected.
3.2 Pooled Mining

Miners are the nicknames of members who are involved in the Bitcoin mining competition. Mining pool is a server designed with a specific algorithm so that all users connected to the pool server are mining together.
Although the performance of personal devices is quite limited, the pooled mining become very powerful and the chances of finding a block is greatly enhanced. Once a team member finds a block, then all members will share the profits based on each person’s contribution. Pool developers generally charge a fee but the method could bring more stable income. Most miners will choose pooled mining instead of solo mining.

Figure 11 Pool mining process

Mine pool mining is also divided into general mining and front-end pool mining

3.2.1 General pooled mining: General pooled mining uses the float computing power of CPU or GPU to mine. Hash value are calculated by mining program based on C or other languages. Mining pool then distribute dividends based on hash value and charge a fee that is usually below 10%.
3.2.2 Front-end mining: front-end mining use asm.js or webAssembly front-end parser intermediary in the browser side. CPU of website viewer will be passively employed to mine. GPU operation is called by WebGL of the HTML5. Hashing will be generated through CPU or GPU. The front-end mining pool will charge (such as Coinhive [11]) will charge a 30% fee.
Due to features like convenience of use, cross-platform and hard to detect, the front-end pooled mining method is getting more popular.

Chapter 3 Technical principle of Android mining Trojan

3.1 Technology principles
In order to maintain stable proceeds, Trojan creator often selects pooled mining. Through remote control of mining Trojans, attacker can gain profits by hijacking mobile phone to run mining program in the background without the owner’s consent.

Figure 12 Trojan attack process

In terms of coding, open source pooled mining or JavaScript mining script are often adopted.

Mining through open source pooled mining library
CpuMiner, the mining Trojan, uses the cpuminer, an open-source mining project, to mine Bitcoin and Litecoin.

Figure 13 Github open source project
Step 1: Register mining and broadcasting services and other components. Register broadcast and mining service in the Android Manifest.


Figure 14

Step two: embedded mining library files

Figure 15
Step three: configuration: including algorithms, address, account information and other basic information.

Figure 16

Step Four: Execute cpuminer to start mining

Figure 17

3.1.2 JavaScript mining script
In September 2017, Pirate Bay [12], a well-known bittorrent site, attempted to embed JavaScript mining scripts in its web pages. Due to compatibility issues, some users’ CPU usage reached 100%. Later the website admitted they intend to use it to increase part of their revenue.
Due to the flexibility and simplicity of browser JavaScript mining script, it has been favored by more and more malicious Trojans and has also led to many security incidents involving JavaScript mining.

Figure 18 JavaScript API provided by Coinhive

3.2 Technical tricks of mining Trojans
Mining operation will occupy CPU or GPU resources, resulting in slow performance of mobile phone, heating or power drop, which would be easily perceived by the user. Therefore, mining Trojans adopt some technical means to hide or control mining behavior.
3.2.1 Detect battery level
Mining Trojans will lead to a significant consumption in battery power. In order to ensure the normal operation of mobile in most cases, mining Trojans will choose to operate when the battery level is higher than 50%.

Figure 19 Check if battery capacity is greater than 50%
Figure 20 Detects if screen is on

(B) Detecting charging status
Device being charged has enough power and heating. Running on a device being charged, mining Trojans could operate without user’s awareness.


Figure 21

Figure 22 Connecting Pickaxe pool via the MiningService service

3.3.3 Mining through invisible pages
By setting android: visibility as “invisible”, mining Trojans could load javascript via invisible Webview page.

Figure 23 set invisible webview page

3.3.4 Fake application downloader
Mining Trojans cheat users to download the app by faking as popular applications. What is actually being installed is a downloader, which will start mining after being launched. The app just provide a link to application download.

Figure 24 Fake app downloader

Chapter 4 Android mining Trojan outlook
The development of Android mining Trojan is largely affected by PC Trojans. By watching Trojan attacks closely, we find that there are 3 directions that Android Trojans are moving to.
4.1 Profit from mining instead of advertisement
By analyzing samples from an APP download site, we found that adware embedded in its early version would request access to ads. The most recent test indicates that the software would add JS script to mine Moneor based on Coinhive.

Figure 25 Comparison of early and recent request of the same link
Analysis of the download site indicates that the software on the website contains Android SDK example provided by Coinhive.


Figure 26
4.2 Monero coins become the most favorable choice of cryptocurrency to mine.
For attackers, it’s more profitable to pick a cryptocurrency that is high in price and appropriate in hashrate.
Early Trojans choose to mine BitCoin, Litecoin, Dogecoin and Casinocoin.

With the difficulty increase of bitcoin and emergence of new cryptos, bitcoin is no longer the only choice mining trojans. Monero was first launched in April 2014 and relatively new in the market. Monroe was chosen as the primary crypto to mine with Trojans. The major advantages of Monero are:

1) Monero has better anonymity. The transaction does not involve the provision of wallet address. The counterparty can check your wallet assets through the wallet address.
2) Monero have better mining algorithms. It does not rely on ASICs and can be done with any CPU or GPU, which means that even ordinary computer users can participate in the mining of Monero. It can even use the remaining computer capacity to mine

3) Monroe has “self-adaptable block size limit.” Monero has set an self-adaptive block size from the start, which means it can automatically calculate how big a block is needed based on the number of transactions. Therefore Monero doesn’t have scaling issues like bitcoin.
4) The R & D team behind Monero has excellent design quality and development goals. There are many excellent open-source projects based on Monero with many contributors.

4.3 Hacker target cryptocurrency wallet
Since attacks on cryptocurrency wallet can bring a large amount of proceeds, a number of PC Trojans are targeting crypto wallets by stealing private keys or changing receiving addresses upon payment.

Figure 27 PickBitPocket Trojan Disguised as Bitcoin Wallet
In the Android platform also found a similar attack, PickBitPocket Trojan disguised as bitcoin wallet application, and successfully added to Google Play. Which steals bitcoin under the user’s account by replacing the payment address with the attacker’s bitcoin address when the user pays.

The bugs and risks in the cryptocurrency wallets did not attract enough attention. Bitcoin address is equivalent to the bank account, whose private key is equivalent to the password and transfer bitcoin under the address. That is to say, obtaining the private key possesses full control overhe bitcoin under the address. In our survey and analysis, we found that some wallets even store un-encrypted private key on the SD card. We still need to further enhance the storage and security of private key.

Chapter 5. Defense of mining Trojan
5.1 Defense strategy based on the PC
In view of mining Trojan ravages, 360 Guards and 360 Browser released the “mining Trojan protection” feature. Users simply turn on this feature to gain defense from various Trojan attacks. When browsing a webpage, it will automatically shield the user from the mining script like ad block. When program is downloaded and installed, real-time interception of various mining codes and warning of pop-ups will ensure that user CPU resources will not be consumed and occupied.


Figure 28 360 Guards launched the “mining Trojan protection

5.2 Mitigation strategy based on mobile phone
Compared with the PC platform, the mobile platform is limited by permission restrictions. Apps usually have built-in browser so that mining trojan cannot be fully intercepted.
For mobile system that has Root authority, Iptables can be set up for the mining site to achieve firewall functions. However, this method is difficult to operate for ordinary users and the URL update lags behind.

Disabling of JavaScript can play a protective role for mobile system without root authority. However, this method can only prevent the browser from visiting mining webpages and cannot effectively control the embedded browser.

Figure 29 Set up javascript of mobile phone browser
In addition to the mitigation measures above, we suggest that users should raise personal safety awareness and develop good habits of using mobile phones. Choose trusted sites when downloading apps. Do not click on the link from unknown source. Scan mobile system when the phone is heated abnormally and performing with interruption.

Chapter 6 Summary
6.1 Prospects
Mining and blackmail are two major global security topics for 2017. Not only because of their widespread impact and the consequences, but also because of the tendency of both to move from PC to mobile platforms. Compared to PC, the popularity and easy-use of mobile terminal equipment make the security issue to spread faster and wider. However, the mobile platform is limited in its mining capacity by its battery capacity and processor capability. In the process of mining, it may cause operation interruption, heating, battery drop and even physical damage. At the moment, mining on mobile device is not a sustainable way for cryptocurrency generation.

Software developers and website owners are always looking for new revenue models that can replace advertising, payment, and donation. Cryptocurrencies, represented by Bitcoin and Monroe, are growing rapidly. As existing crypto rise and new currency emerges, mining will eventually become more profitable. It is understood that in September last year, a website owner made an attempt to replace advertising with the use of Coinhive. He gained 0.00947 Monroe (Monroe, code XMR) within 60 hours, which is equipment of $ 0.89 at current price, an average of $ 0.36 a day. It’s less than the banner and text ads revenue by 4 to 5 times. Now that the price of Monroe (XMR) has been rising all the way, if calculated at the current price, the revenue from mining is almost the same or even higher than that of advertising with the same traffic on the site.


Figure 30 Website mining revenue

6.2 Risk control
We must not ignore that the mining script that is compatible in all platforms has injected new vitality to mining Trojans on mobile platform. This new profit model is still in its infancy and requires more control and regulation. Online advertisement first appeared to achieve a win-win situation for developers, website owners and users without affecting the experience. However, due to poor management and control, a number of malicious advertisements appear and misuses the user’s equipment resources, which not only seriously affect the user experience but also brings malicious chargeback and privacy theft. The development of mining will have many similarities with advertisement. Although ads could be replaced, user’s machine could be seriously damaged without proper control.

We found in the survey that coinhive has provided pop-up window to prompt user before starting the mining process. If user cancels, then the mining process will be could be terminated. It is indeed a good start. We hope more miners will be able to exercise strict controls to avoid being exploited maliciously. We will continue to monitor the development of such malicious programs.


Figure 31 Coinhive Prompt
[1]btc price chart:
[2] CoinKrypt:How criminals use your phone to mine digital currency:
[3] BadLepricon:Bitcoin gets the mobile malware treatment in Google Play:
[4]Widdit: When mobile mining malware might be legit:
[5] CoinMiner Mobile Malware Returns, Hits Google Play:
[6] CPUminer for Litecoin and Bitcoin:
[7] 3fake Bitcoin wallet apps appear in Google Play Store:
[8] Jackof all trades:
[9] Trojans that use Coinhive android SDK:
[10] Cryptocurrencymining affects over 500 million people:
[11] Coinhive – Monero JavaScript Mining:
[12] Pirate bay use coinhive script to mine crypto:
[13]Coinhive review: Embeddable JavaScript Crypto Miner – 3 days in:


< <上一篇