Crypto-Miners Slip Into Google Play
27.9.2018 securityweek

While Google doesn’t allow crypto-currency mining applications in Google Play, some developers have found a way to push such programs to the storefront: by hiding their true purpose.

For more than a year, malicious crypto-mining has spiked globally, fueled by massive increases in crypto-currency prices, and mobile users weren’t spared either, especially those on Android, the more popular mobile operating system at the moment.

Recently, SophosLabs security researchers discovered no less than 25 crypto-mining applications in Google’s official application store for Android, and revealed that over 120,000 users might have downloaded and installed them. The programs are disguised as games, utilities and educational apps.

Most of the offending applications, the researchers say, include embedded code from Coinhive, a JavaScript implementation to mine for the Monero crypto-currency. Designed to use a device’s CPU for the mining process, instead of a GPU, Coinhive is great for covert mining on mobile devices.

With only a few lines of code, mining capabilities can be added to any app that uses a WebView embedded browser, the researchers note.

“Monero has been the authors’ choice of crypto-currency for all these apps as it offers sufficient privacy to keep the source, destination, and the amount mined hidden. These apps use CPU throttling to limit CPU usage by mining, and thus avoid the usual pitfalls: device overheating, high battery drain, and overall device sluggishness,” SophosLabs explains.

Of the 25 applications, 11 were found to be preparation apps for standardized tests in the United States, such as the ACT, GRE, or SAT. Published by a single developer account (Gadgetium), the apps contain a HTML page that implements the Coinhive-based miner.

The apps would enable JavaScript, load the HTML page using a WebView, and then start the miner using a wallet value retrieved from the resources. Most apps used scripts hosted on, but two (co.lighton and com.mobeleader.spsapp) were observed hosting the mining scripts on their own servers.

One of the applications (de.uwepost.apaintboxforkids) was using the popular open-source CPU miner XMRig, which was designed to mine several crypto-currencies, Monero included.

Google was notified on the behaviour of these applications in August and has already removed some of them, but many continue to be available for download in Google Play.