Smart devices as Bitcoin mining slaves

Recently, we blogged about unintentionally installing Android ransomware to an Android HD media player. It is possible and probable that other unwanted programs, such as Bitcoin mining trojans could be installed on a smart device.

Bitcoin (BTC) is one of several popular digital (virtual) currency payment systems. It is decentralized and functions peer-to-peer (P2P) with a limited resource – it is suggested that there will only be 21,000,000 units of currency made available, also called bitcoins. Transactions are processed and verified across the Internet by nodes through a process called ‘mining’. A node that assists in processing transactions through this mining process receive payment in BTC, hence the term Bitcoin mining. Due to limited supply of this digital currency, the supply growth is reduced by half every four years.

Cost of overhead
When Bitcoin first started several years ago, bitcoin mining was somewhat profitable and easier. The cost to mine was not expensive, e.g. a normal personal computer with a typical display card could mine and process transactions, running night and day “digging” for money. If you were serious about mining, you could purchase a professional bitcoin mining machine with a cost of up to $60,000 USD.

As time goes on, the ability to mine for BTC has become more difficult, with an increase in cost for processing power such that the cost to process and mine for bitcoins exceeds the reward. Sometimes the profit cannot even pay the cost for electricity! To help reduce overhead, the process of mining has changed from using one’s own computer systems, to harnessing the power of other computers, and even mobile devices that can run BTC software such as phones and tablets.

In 2011, the first bitcoin mining malware was found on an Android mobile phone. The malware ran a bitcoin mining service in the background and sent mining payments to a specified digital wallet. The malware was not damaging to the host other than harnessing the computing resources of the mobile phone. The bitcoin mining impacted the mobile phone however as the service drained the battery quickly and the phone required recharging frequently.

To minimize the chance of draining the battery too quickly and to help cover its tracks to draw suspicion, the malware author added a routine to check the battery level periodically; if the battery was under a certain level, it would suspend mining. It also monitored the screen – when the screen was on, it also stopped bitcoin mining which also helped to reduce poor performance of the mobile phone. We have to admit, it was a nice consideration of the malware author.

With the availability or more devices having the Android platform installed, such as smart TVs, it is conceivable that the bitcoin mining malware could get erroneously installed. For example, a smart TV with Android could be a better host in comparison to a smart phone as the TV is online a regular amount of time and has a power supply thereby eliminating the chance of battery drain. One unwanted side effect however could be poor performance during video streaming or online video rentals if the infected TV was also performing bitcoin mining.

As Bitcoin is just one of many virtual currencies, such as FTC, LTC, FRC and so on, all of which have similar methods of currency processing or mining, digital currency mining malware for these other platforms have also been created. The target host could be other smart devices including smart phones, smart TVs, or even smart watches.

Hiding in plain view
In our research, and confirmed elsewhere, we found that bitcoin mining malware often is paired with another app or program that the user might want. For example, we identified bitcoin mining malware hiding in Live Wallpaper apps.

This is an example of installing a (fake) live wallpaper (Anime Girls) to an Android device, in this case a HiMedia HD600a media player:


Fake live wallpaper “Anime Girls”


As anime girls are displayed, bitcoin mining malware runs in the background

The following are additional samples that install a bitcoin miner.
  • Epic Smoke Live Wallpaper
    MD5: ebd28bf472bf8359d1de4d08c06d0db8
  • Beating Heart Live Wallpaper
    MD5: 8254f11b5bf8dc05526a91ab5ad6539b
  • Prized – Real Rewards & Prizes
    MD5: f3043c995cc1483280e764641db38a8b
  • Songs for Android
    MD5: 24ba7b87da6c134a0faeb9eaf71575e9
  • Anime Girls Live Wallpaper
    MD5: cd519e46e6c4af334a10f40749d6af45
As always, be safe and vigilant.
0xID Labs