Android Web Users Victims of Cryptojacking Campaign

Adjust Comment Print

Malwarebytes' blog posted a "drive-by" mining campaign that managed to redirect millions of Android phone users to a website. Also, the code is static and hardcoded in the page's source, making the process appear malicious. The site directs them to complete a CAPTCHA to prove their device is being controlled by a human rather than a malicious script.

The discovery came while we were investigating a separate malware campaign dubbed EITest in late January.

The researchers revealed that almost 60 million visitors have visited the malicious domains- websites and apps - which are directing Android users to some websites that are set up for mining cryptocurrency.

The captcha code for every single user is exactly the same - w3FaSO5R - and until it's entered and the continue button is pressed, the phone or tablet will mine Monero at full speed, maxing out the device's processor - something that left unchecked can cause damage to the device.

Over the weekend, more than 4,000 websites in the US, UK, Australia and other nations were hijacked with hackers tweaking the code of a plugin named BrowseAloud to secretly mine cryptocurrency. While some people may be redirected through regular browsing via malvertising, it's thought that infected apps with malicious ad modules are the main culprit. When visitors are redirected to their mining website, they claim the mining is being done to pay for server traffic, and instructs the user to enter a CAPTCHA code.

NCAA denies Notre Dame's appeal, wins from 2012 and 2013 still vacated
Notre Dame won 12 games in 2012 and finished as the national runner-up, losing to Alabama in the BCS National Championship Game. It has to do with ineligible players and has resulted in wins from both the 2012 and 2013 season being vacated .

As a result, it's recommending that Android users use security software and web filters in order to fend off these attacks. The first was registered in November 2017, while the latest of the five domains they found (of which there may be many more) was registered less than a month ago. "This is unfortunately common in the Android ecosystem, especially with so-called "free" apps".

"We believe there are several more domains than just the few that we caught, but even this small subset is enough to give us an idea of the scope of this campaign", Jerome Segura, Malwarebytes' lead malware intelligence analyst, said".

Although this hijack is not affecting the cryptocurrency market directly, it's unlikely that mining tricks like the above-mentioned will disappear anytime soon. Traffic analysis suggests most visitors spend around four minutes on the sites.

How much Monero could this operation yield, you wonder? Because of the low hashrate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month. "While these platforms are less powerful than their Desktop counterparts, there is also a greater number of them out there".