Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A newly discovered Android malware called HiddenMiner is capable of preventing uninstallation and can mine cryptocurrency so aggressively it overheats and destroys infected devices.
- HiddenMiner can do more damage to pre-Nougat versions of Android. Keep devices up to date, install antivirus apps, and never install applications from anywhere but the official Google Play store.
Trend Micro has discovered a new form of cryptomining Android malware that could be capable of killing infected devices through overzealous resource usage.
Dubbed HiddenMiner, the new malware package is designed to mine the Monero cryptocurrency that has become a popular Bitcoin alternative for hackers and cybercriminals. It does so with no regard to the safety of the device it has infected, which can lead to battery bloat, overheating, and device destruction similar to that caused by the Loapi malware outbreak in late 2017.
Device destruction isn’t the only dangerous capability that HiddenMiner has going for it—removing it from pre-Nougat (Android 7.0) devices is practically impossible. That may not seem like an immediate problem to users of the top flagship Android devices, but devices running Android 7.0 and above account for less than 30% of total Android devices.
Trend Micro reports that HiddenMiner has been detected in India and China, which makes sense considering that the market share of pre-Nougat Android devices is higher in India and Asia compared to the global average.
Android users elsewhere shouldn’t grow complacent, though: Trend Micro says it’s only a matter of time before HiddenMiner appears in other parts of the world.
How HiddenMiner does its damage
Like many forms of Android malware, HiddenMiner comes from third-party app stores that don’t have the security and oversight of Google Play. It pretends to be a Google Play update, masquerading as com.google.android.provider.
Once a user gives HiddenMiner permissions, it installs itself, hides its icons, checks to make sure it isn’t running in an emulator, and retains administrator permissions granted to it during the install process.
Here’s where HiddenMiner gets tricky: It exploits a bug in Android 6.0 and older (which was fixed in Android 7.0) to lock the screen if a user tries to revoke admin permissions, which is required to delete it from the device. Attempts to stop it and uninstall it are met with repeated screen locking, leaving HiddenMiner free to mine Monero with nothing to stop it.
According to Trend Micro, stopping isn’t part of HiddenMiner’s code—literally. “There is no switch, controller, or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted,” Trend Micro said. “Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail.”
There’s no reason that HiddenMiner’s creator should care, either. Even if it is responsible for destroying its hosts it’s still earning money while doing so—one Monero wallet tied to the app has withdrawn over $5,000 as of March 26, 2018, meaning it’s active and successful despite its destructive nature.
Protecting yourself from HiddenMiner
There’s nothing new to say about protecting yourself from HiddenMiner—its infection path and destructive capabilities are no different from malware that has come before it.
Preventing infections like HiddenMiner, which rely on users sideloading non-official app store apps and running old versions of Android, are as easy as not doing those two things.
SEE: Mobile device computing policy (Tech Pro Research)
Never install apps from an unapproved source. If you manage Android devices be sure to block their user’s ability to do so. Keep your device updated as well, and if you can’t update it to a safer version of Android take extra care with it to be sure it’s secure.
Lastly, install an antivirus app on all Android devices, no matter how new they are. Mobile malware is a serious threat, especially on Android devices, and antivirus software can go a long way to preventing the installation of a questionable app or a malicious script.