Mobile Commerce Insider Featured Article

March 27, 2014

Booby-trapped Android Apps May Be Working Hard...for Someone Else

Various cryptocurriencies like the popular Bitcoin, and its somewhat less popular variants like Litecoin, Dogecoin and a host of others, have been gaining ground in recent months as a potential investment vehicle or even as a replacement for cash. A new security threat on that front has shown up, as security researchers have noted a new kind of hostile code geared toward turning mobile devices into a kind of botnet with the express purpose of generating cryptocurrency for other people.

Apps found both inside and outside the Google Play store, which have been reportedly downloaded “millions of times,” contain some extra code designed to turn the device one which the apps are running into devices geared toward mining cryptocurrency, particularly Dogecoin, Litecoin and Casinocoin. Those phones that are running the programs in question will reportedly experience rapid battery drain, and one security firm said that the programs were found on several apps popular in both France and Spain, including two apps called Songs and Prized, both of which were available on the Google Play store for quite some time. While at the time of this writing, Prized didn't seem to be on hand, there was indeed an app called Songs available on Google Play.

This was regarded as an unusual development, especially by Trend Micro's Veo Zhang, who noted that “Phones do not have sufficient performance to serve as effective miners,” but given the likely numbers of phones that were involved, the volume could have made up for the individual items' lack of performance. Lookout's Marc Rogers noted a further risk associated with this: hardware overheating. Rogers noted that programs like these didn't seem terribly interested in being judicious about the resources used, potentially overheating the device, using the battery at staggering levels and making recharging a slow process. Another key point to watch for would be a data allowance that seems to fly by at speeds more rapid than normal. Trend Micro has reportedly filled in Google's Android security team on the issue, but Google has yet to comment.

Reports suggest that one of the groups that put out the app in question had managed to wrangle “thousands of Dogecoins,” which were subsequently swapped for Bitcoins. Given that Bitcoins are selling at $517.90 U.S as of this writing, that could potentially be a substantial find indeed.

Being able to essentially generate a commodity and then use that commodity to exchange for cash makes it a perfect system for hackers to get involved in, and will likely lead to more such programs like this coming about. Though it may be perhaps the least risky sort of hack to those who fall victim to it—it's not like much is lost here except maybe a bit of the system's life on which the mining code is added, certainly no personal information or bank account data or the like—it still poses a risk as hardware may burn out before its time, or similar.

When the risk is slim and the reward is potentially great, there's likely to prove plenty of interest in the sector overall. Bitcoin mining, Dogecoin mining, Litecoin mining and beyond are likely to continue on for some time, adding to the ever-increasing roster of risks that mobile users need to be mindful of every day. While a fix for this particular issue will likely be forthcoming, it's the next issue that should be a concern, and just what form it will take is as yet largely unknown.

Edited by Cassandra Tucker

Comments powered by Disqus

Related Mobile Commerce Insider Articles