Android Wallpaper Apps Hide Bitcoin Mining Malware

  • 28 April 2014
  • 2 replies
  • 4 views

Userlevel 7
Badge +52
Is your smartphone running low on battery for seemingly no reason? Are things taking longer to render or load? Your gadget could be secretly mining bitcoins, thanks to a piece of mobile malware in Google Play that quietly uses an Android phone’s processing power, while hiding behind innocuous-seeming wallpaper apps.

Lookout Software uncovered the bug, dubbed “BadLepricon,” after which Google removed five applications that were incorporating it. The apps had between 100 to 500 installs each at the time of removal.

“And yes, that is how the malware authors spelled ‘leprechaun,’” wrote Lookout researcher Meghan Kelly, in a blog detailing the infection. “We hope they were going for a clever play on the word ‘con.’”

Although the wallpaper apps did indeed offer live wallpaper featuring everything from anime to hot men, behind the scenes BadLepricon begins checking the battery level, connectivity and whether the phone’s display was on, every five seconds.

“It does this almost as a courtesy to your phone,” Kelly said. “Miners, when left unchecked, can damage a phone by using so much processing power that it burns out the device. In order to avoid this, BadLepricon makes sure that the battery level is running at over 50 percent capacity, the display is turned off, and the phone network connectivity.”

She added, “BadLepricon also uses a WakeLock, or a feature that makes sure the phone doesn’t go to sleep even if the display is turned off.”

The misspelling of “leprechaun” notwithstanding, the authors may not be that clever in other ways either, considering that bitcoin mining takes a lot more than a few hundred mobile devices to be lucrative.

“A phone’s computing power doesn’t actually result in that many coins,” Kelly said. “Every coin has a difficulty rate, which is determined by the amount of computing power needed to mine that coin and other factors. The difficulty for bitcoin is so tough right now that a recent mining experiment using 600 quad-core servers was only able to generate 0.4 bitcoins over one year.”

Because of these difficulty levels, miners tend to work in groups, pooling their processing resources and collecting payment as a percentage of the processing power they contribute. It’s unclear whether this particular gambit is part of a pool, however.

“In order to control the sometimes thousands of bots, the malware author may use a proxy to set up one point of contact,” Kelly explained. “BadLepricon uses a Stratum mining proxy, allowing the author to easily change mining pools or connections to bitcoin wallets with ease. It also gives the malware author some anonymity by obfuscating which wallet is being fed the mined bitcoins.”
 
Full Article

2 replies

Userlevel 7
Thanks for sharing Petr!
This is another example which confirms that users should always exercise their caution and care when they are downloading apps from Google Play. Precaution is never too much ;)
 
Regards,
 
Mike
Userlevel 7
Badge +52
Google Removes Bitcoin Mining Android Malware from Play
Google recently removed five bogus wallpaper apps from its Play marketplace after they were deemed malicious and found sneakily mining Bitcoins.
The malware, dubbed BadLepricon, was spotted funneling Bitcoin into wallets and allowed the attacker to change mining pools easily to maximize the mining output of infected devices.
 
BadLepricon used a stratum mining proxy which not only let the attacker diversify their attack vector, but also reduce network loads and improve performance on slow or faulty networks.
According to the mobile security firm Lookout, which blogged about the malware late last week, each application had been installed between 100-500 times before it they were removed.
According to researchers the apps, which carried generic names like “Beating Heart Live Wallpaper” and “Epic Smoke Live Wallpaper,” did what they said they would: They supplied live wallpaper for Android phones.
 
Full Article

Reply