SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Android mining trojan so aggressive it can break your device (Dec 22, 2017)


As cryptocurrencies become more valuable, cybercriminals are upping their game to try to make a healthy profit out of their unwilling victims. This week, the SonicWall Capture Labs Threat Research Team has received reports of a malicious android app which turns your mobile device into a cryptocurrency mining slave.

Infection cycle:

The sample we have analyzed installed a fake security application called CM Security. It even uses the same icon as the legitimate version from Cheetah Mobile.

Upon installation it asks for admin privileges.

After being granted with the admin rights, the malicious app hides its icon from the main menu. It also makes it difficult for a standard user to uninstall this app with the option grayed out.

This app checks for the operating system build to verify whether it is being run on a virtual environment or an emulator. It checks for common emulators such as Android emulator kernel Goldfish, Genymotion and Droid4x.

With admin rights, this malware now has access to the phone's address book and send SMS among many others.

This malware uses the wakelock mechanism to force the device to stay on while also using the keyguard service to let it lock and unlock the keyboard.

We found the following modules within the app which are related to displaying advertisements on the user's device.

We also found modules on what appears to be how the compromised device will communicate back to a remote server and possibly how commands can be received and malicious tasks can then be carried out.

And lastly, we found this mining class from within the app. This malware used Coinhive which is a javascript miner for Monero blockchain.

It has been reported that with the aggressive mining efforts that this malware does, it puts the device under strain making it work at full load which then causes it to overheat and break the device.

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • GAV: AndroidOS.Coinminer.JS (Trojan)

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2019 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 14.6 | S2MSW01