Android Monero-Mining Malware Can Cause Device Failure

Haythem Elmir

Trend Micro security experts have warned users today about a new type of Android malware that infects devices and untetheredly mines Monero in the phone’s background until the battery is exhausted or the device gives out.

Called HiddenMiner, this malware has been spotted inside apps distributed via third-party stores. Researchers say that most of the infected users are based either in China or India.

Experts say they’ve tracked the malware’s operations back to a mining pool where crooks made 26 XMR (around $5,400).

HiddenMiner needs access to an administrator account

HiddenMiner is not the first untethered Monero-mining malware that affects Android devices. The first was Loapi, spotted last December.

HiddenMiner took inspiration from Loapi because just like the aforementioned, HiddenMiner works by tricking users into giving it access to an administrator account.

The malware then uses this account to hide the original app behind transparent app icon, and immediately start a Monero miner that runs at all times in the phone’s background.

« There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted. Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail, » said Lorin Wu, a Mobile Threat Analyst for Trend Micro.

HiddenMiner can also lock users screens

But this isn’t HiddenMiner’s only malicious feature. The trojan also locks the user’s device whenever it detects an attempt to remote its administrator account on Android 6.0 devices and earlier. This behavior has been seen before in the LokiBot Android banking trojan.

Unfortunately, only by removing the admin account, a user will be able to remove the trojan from his device before the battery overheats and gives out, potentially destroying the rest of the device.

The only way to remove the administrator account is to reboot the device in Safe Mode and uninstall the rogue admin account, along with the HiddenMiner-infected app from there.

Currently, crooks are using a fake Google Play Store updater app ( to distribute HiddenMiner via third-party app stores, but experts expect crooks to diversify their portfolio and even start infecting users in other areas of the globe.


To  read the original article:

Laisser un commentaire

Next Post

Mole66 Cryptomix Ransomware Variant Released

Today MalwareHunterTeam discovered a new variant of the Cryptomix Ransomware that appends the .MOLE66 extension to encrypted files, changes the contact email, and slightly changes the ransom note’s name. In the past, we used to see new Cryptomix variants a few times a month, but this time it has been almost 2 months since the previous System variant was […]