Trend Micro security experts have warned users today about a new type of Android malware that infects devices and untetheredly mines Monero in the phone’s background until the battery is exhausted or the device gives out.
Called HiddenMiner, this malware has been spotted inside apps distributed via third-party stores. Researchers say that most of the infected users are based either in China or India.
Experts say they’ve tracked the malware’s operations back to a mining pool where crooks made 26 XMR (around $5,400).
HiddenMiner needs access to an administrator account
HiddenMiner is not the first untethered Monero-mining malware that affects Android devices. The first was Loapi, spotted last December.
HiddenMiner took inspiration from Loapi because just like the aforementioned, HiddenMiner works by tricking users into giving it access to an administrator account.
The malware then uses this account to hide the original app behind transparent app icon, and immediately start a Monero miner that runs at all times in the phone’s background.
“There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted. Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail,” said Lorin Wu, a Mobile Threat Analyst for Trend Micro.
HiddenMiner can also lock users screens
But this isn’t HiddenMiner’s only malicious feature. The trojan also locks the user’s device whenever it detects an attempt to remote its administrator account on Android 6.0 devices and earlier. This behavior has been seen before in the LokiBot Android banking trojan.
Unfortunately, only by removing the admin account, a user will be able to remove the trojan from his device before the battery overheats and gives out, potentially destroying the rest of the device.
The only way to remove the administrator account is to reboot the device in Safe Mode and uninstall the rogue admin account, along with the HiddenMiner-infected app from there.
Currently, crooks are using a fake Google Play Store updater app (com.android.sesupdate) to distribute HiddenMiner via third-party app stores, but experts expect crooks to diversify their portfolio and even start infecting users in other areas of the globe.
Image credits: Julien Deveaux, Bleeping Computer