A security researcher found 291 Android APKs re-packaged with CoinHive’s mining script, most of them leading to the same address.
While most people get their apps from Google Play, there are some who prefer to take the risk of downloading the APKs from third-party websites that do not always audit these software packages for malware.
A security researcher who goes by the name “Elliot Alderson” found that many of these applications are just fake re-packaged APKs with CoinHive’s mining script implemented in them.
“I don’t think these apps are the original apps. The ‘hacker’ modified it and repacked it and after that, he uses multiple dropper apps to distribute these modified apps. Only the package name and the app name has been changed and I just dig up more and in fact, this is the same app 291 times which means there are 291 applications with different icons and names,” he told HackRead.
According to the tweet he posted yesterday, 287 of the apps he scanned use the same CoinHive key, meaning that they were all re-packaged by the same person or group.
I was bored in the plane, so I made some scripts and reversed the 291 apps, here some facts:
– The key 6GlWvU4BbBgzJ3wzL3mkJEVazCxxIHjF is used 287 times
– These 291 apps are the same apps. The code is identical only the app name, icon and package name is different
— Elliot Alderson (@fs0c131y) 7. ledna 2018
CoinHive has become a very popular utility for hackers, allowing them to mine Monero using the CPUs of their victims without their knowledge.
In mobile applications, CoinHive’s script is particularly dangerous since it directly affects battery longevity over the long term, draining all of the system’s resources and exposing it to high temperatures during normal operation.
While Google audits applications that go up on the Play Store, the same can’t be said about APKs from third-party sources.
Mobile users who want to avoid falling victim to mining scripts should always download their apps from official channels.
Cryptojacking, as it’s called, has become so popular that even reputable businesses are sometimes being used to mine cryptocurrencies for hackers using their customers’ CPUs.
The most noticeable incident in recent memory came just a few weeks ago, when a Starbucks store’s wireless network was hijacked to mine Monero from users who attempted to connect to it for a brief period.