Security Experts:

'CoinKrypt' Malware Uses Google Android Phones to Mine for Virtual Currency

Much of mobile malware is going after user data, but the CoinKrypt malware has something else in mind.

As opposed to going after personal data or eavesdropping on phone calls like other mobile malware, CoinKrypt mines for cryptocurrency. According to researchers at Lookout Mobile Security, CoinKrypt is being spread on Spanish-language forums.  

"We were quite surprised and very skeptical about the effectiveness, which is why we independently tested smartphone hardware with a legitimate mining app to see how practical it was likely to be," Lookout principal security researcher Marc Rogers told SecurityWeek. "Unsurprisingly it isn't at all practical. I guess it does speak to the ingenuity of malware writers though - they are clearly willing to try anything, no matter how unlikely, to earn some coin."

According to Rogers, the malware was being distributed inside pirated versions of applications and uploaded to forums that distributed the Google Android apps for free.

In a blog post, Rogers noted that while the malware does not steal information, it can be an incredibly resource-intensive activity. If it is allowed to go on without any limits, it could potentially damage hardware and cause it to overheat and burnout.

"As a minimum, users affected by this malware will find their phones getting warm and their battery-life massively shortened," he noted. "Another added annoyance? CoinKrypt might suck up your data plan by periodically downloading what is known as a block chain, or a copy of the currency transaction history, which can be several gigabytes in size."

The malware itself is fairly basic. It is composed of three small program sections embedded in the target application that are responsible for the mining process. It is this lack of complexity however that makes it somewhat dangerous, Rogers blogged.

"Normal mining software is set up to throttle the rate at which coins are mined to protect the hardware it is running on," he wrote. "This includes no such protection and will drive the hardware to mine until it runs out of battery. Overheating associated with this kind of harsh use can also damage hardware."

The malware targets Litecoin, Dogecoin and Casinocoin while ignoring Bitcoin because of the relative difficulty in mining it.

"The difficulty for Bitcoin is so tough right now that a recent mining experiment using 600 quadcore servers was only able to generate 0.4 bit coins," Rogers blogged. "When we tested the feasibility of mining using a Nexus 4 by using Android mining software such as the application “AndLTC”, we were only able to attain a rate of about 8Kh/s – or 8,000 hash calculations per second, the standard unit of measure for mining. Using a Litecoin calculator and the difficulty setting mentioned above we can see that this would net us 0.01 LTC after seven days non-stop mining. That’s almost 20 cents."

Just recently, researchers at Trend Micro noted the appearance of Google Android malware as repacked copies of popular apps such as Football Manager Handheld and TuneIn Radio that is involved in mining digital money. The apps were injected with the CPU mining code from a legitimate Android cryptocurrency mining app that is based on the well-known cpuminer software.

"Users with phones and tablets that are suddenly charging slowly, running hot, or quickly running out of batteries may want to consider if they have been exposed to this or similar threats," blogged Trend Micro Mobile Threats Analyst Veo Zhang. "Also, just because an app has been downloaded from an app store – even Google Play – does not mean it is safe."