A new Android malware, specifically a Monero-mining one, was uncovered by the security experts from Trend Micro. This malware can furtively use an Android device’s computing power to mine Monero. This Monero-mining malware was detected as “ANDROIDOS_HIDDENMINER” but simply referred to as “HiddenMiner”.
The mechanisms of this malware include app’s self-protection and persistence that could hide from unknown users and abuse the Device Administrator feature which is a technique seen in the infamous SLocker Android ransomware. This malware was found inside apps that are distributed via third-party app stores. And according to researchers, most of the infected users are either in India or China and that the malware’s operations were tracked back to a mining pool where crooks were able to obtain 26 XMR that’s approximately equivalent to $5,400.
HiddenMiner also has similarities to another Monero-mining Android malware, Loapi as it could cause an infected device’s battery to bloat. In fact, aside from this malware could also lock the device’s screen after it revokes administration permissions.
This new Monero-mining malware uses the device’s CPU power to mine Monero crypto-currency. “There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted. Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail,” stated Lorin Wu, a Mobile Threat Analyst for Trend Micro.
HiddenMiner disguises itself as a legitimate Google Play update app that pops up as “com.google.android.provider” along with Google Play’s icon. This malware requires targeted users to activate it as a device administrator which will appear persistently until unsuspecting users click the Activate button. Once the said button is clicked, the malware will begin its nefarious attack.
After that, the malware then uses the account to hide the original app in the guise of a transparent app icon and then starts a Monero miner right away that will run all the time in the device’s background. Aside from that, this malware can also lock an Android device’s screen whenever it detects an attempt to remote its administrator account on Android 6.0 devices and older versions. This kind of trait is nothing new as it was already seen in LokiBot, an Android banking Trojan.
“Users can’t uninstall an active system admin package until device administrator privileges are removed first. In HiddenMiner’s case, victims cannot remove it from device administrator as the malware employs a trick to lock the device’s screen when a user wants to deactivate its device administrator privileges. It takes advantage of a bug found in Android operating systems except for Nougat (Android 7.0) and later versions,” Wu stated.
So the only way to remove HiddenMiner is by removing the admin account. Until then, the malware will continue mining Monero until the devices’ battery overheats and gives out – clearly leads to the destruction of the devices. Specifically, users have to reboot their devices in Safe Mode and uninstall the rogue admin account as well as the malware-laden app to completely save devices from an untimely demise.