A cryptocurrency mining gang is using a function normally found in SLocker Android ransomware to add self-protection and persistence to what Trend Micros is calling HiddenMiner.
HiddenMiner abuses the Device Administrator feature, as does SLocker, to remain hidden and active and does this so well it has the ability to either use the device’s resources until it runs out of power or fails due to overheating. And HiddenMiner ensures that it retains its administrative privilege by locking the screen’s device, using a flaw inherent in Android operating systems 7.0 and later, whenever the user attempts to deactivate this ability.
“This is similar to the Loapi Monero-mining Android malware, which other security researchers observed to have caused a device’s battery to bloat. In fact, Loapi’s technique of locking the screen after revoking device administration permissions is analogous to HiddenMiner’s,” wrote Lorin Wu, a mobile threats analyst with Trend Micro.
Some of the obfuscation techniques are to empty the app label and use a transparent icon and once it is set as the administrator it will hide itself from the app launcher by calling setComponentEnableSetting(), which is a tactic used by the DoubleHidden Android adware, Wu said, adding it also has the ability to check and see if it is running on an emulator.
The malware’s hook is it poses as a legitimate Google Play update app appearing on a screen as com.google.android.provider and sporting the official Google Play logo and it will keep appearing until the user gives in and clicks on the link. This is a tremendous error as one of the permissions is that it be activated as the device administrator.
Once these steps are taken the Monero miner starts operating.
Due to HiddenMiner’s effectiveness, Wu would not be surprised if it spread outside of these two countries.
The mining operation appears to be quite active and lucrative with Trend noting that on March 26 $5,360 in Monero was removed from one of the multiple wallets associated with the malware. So far most of the victims are in India and China and these people are having their devices infected when they visit third-party app stores.