Malware Hijacks Millions of Android Devices to Mine Monero

Malware Hijacks Millions of Android Devices to Mine Monero

Cybercriminals are increasingly hijacking other people’s devices to mine Monero (XMR), in a trend now called cryptojakcing. According to Malwarebytes, a “drive-by” mining campaign recently redirected millions of Android users to a website that hijacked their devices to mine the privacy-centric cryptocurrency using Coinhive .

The campaign worked by redirecting users to a page that told them their device was “showing suspicious surfing behavior.” As such, they needed to verify they were human by solving a CAPTCHA, while their device was used to mine Monero “in order to recover server costs incurred by bot traffic.”

All users had to do was solve the CAPTCHA and click a “continue” button. Once solved, they would be redirected to Google’s home page, which researchers noted was an odd choice. Malwarebytes details that it first spotted the “drive-by” campaign last month, but that it could’ve been around since November 2017. The exact trigger that captured users isn’t clear, but researchers believes infected apps with malicious ads did the trick.

Their post reads:

“While Android users may be redirected from regular browsing, we believe that infected apps containing ad modules are loading similar chains leading to this cryptomining page. This is unfortunately common in the Android ecosystem, especially with so-called “free” apps.”

Malwarebytes researchers weren’t able to identify all the domains users were being redirected to. They managed to identify five domains, and concluded that these received about 800,000 visits per day, with an average of four minutes spent mining, per user.

To find out the number of hashes being produced, researchers note, a conservative rate of 10h/s was used. This low hash rate, coupled with the four minute average spent on time, means the hackers behind it could only be making “a few thousand dollars” per month.