Bitcoin Mining Code in Millions of Google Play Downloads



Millions of Android Downloads Are Mining for Crypto Currency

According to a recent research, a staggering amount of Google Play downloads are secretly hijacking smartphones to mine crypto coins without permission.

More than 1 million Android devices are siphoning cryptocoin information without their users knowledge via apps installed from Google Play, which secretly include “hashing” code.

Analysts and researchers at Trend Micro, a security company, claim they have found at least two popular apps and games on Google Play, which contain malicious code that enables hackers to penetrate any device that has this code installed and turn them into a crypto coin-mining “pool.”

The apps in question are Songz and Prized, which have been downloaded and installed by over 10 million users collectively since each app stats display that it had been downloaded between 1 million and 5 million times. Hence, around 10 million Android devices might be affected. At the time of the research publication, Songz was still available for download on Google Play, and the developer chose not to respond to an email sent to him by the security company.

The compromised apps, apparently, include a request to be able to run the mining code within their terms and conditions, which means that once the user taps “OK” he automatically gives permission to have their processing time stolen. The security company criticizes the terms and conditions of many applications including the two in question for “the murky language and fake terminology.”

Trend Micro also discovered a hidden code for mining Bitcoin in the repackaged versions of TuneIn Radio and Football Manager Handheld on third-party resources offering Android downloads. It is not clear, however, if the apps on the Google Play store have been affected, or not.


The security company Trend Micro is expanding the February report by security company G Data International, adding more details about the malware ANDROIDOS_KAGECOIN.HBTB, which uses insignificant processing resources of individual smartphones to mine or generate bitcoin, litecoin and dogecoin without the owner’s knowledge of the processes and the very existence of the malicious code on their device.

ANDROIDOS_KAGECOIN.HBTB works its tricky ways on Android devices by injecting a totally legitimate crypto currency mining code from an existing application into repackaged versions of Android apps and games.

“The miner is started as a background service once it detects that the affected device is connected to the Internet. By default, it launches the CPU miner to connect to a dynamic domain, which then redirects to an anonymous Dogecoin mining pool,” say Trend Micro on their blog.

One more research company Canalys suggested that “negative security PR continues to hurt Google Play’s brand image.” Of course it does for the company does absolutely nothing to ensure the applications and games offered on its marketplace have been checked and verified whatsoever. And what is worse, no developer is accountable for the presence of any malicious code in their apps. In addition, we already reported about how easy it is to hack a legitimate Android application, insert a malicious code in it and re-upload it to Google Play store.

More and more security researchers continue discovering malware codes targeting Android apps and games, but Trend Micro’s recent discovery is one of the worst ones because it involves applications and games with huge number of downloads from Google Play.

According to the blog post, there is one more side effect of crypto coin mining codes that run in the background – battery life. The user may be unaware that the battery in his device gets exhausted somewhat faster than the usual without any apparent reason while recharging it more often can wear it down in the long run.

“Users with smartphones and tablets that are suddenly charging slowly, running hot, or quickly running out of batteries may want to consider if they have been exposed to this or similar threats,” says the Trend Micro blog post.

Trend Micro and G Data are both selling security apps for Android, so both companies may have commercial motivation to highlight Android malware in order to appeal to wider strata of customers. Nevertheless, the threat is obvious and confirmed, and we have a clear reason and a sense of urgency for Google to change its policy in accepting apps and games to its marketplace.