Android Apps on Google Play For Monero Mining

We are too used to mining Trojans that infect desktop computers, but mobile devices are not safe either. Just recently there has been an onslaught of news articles that talk about mining malware that mines the Monero crypto-currency. The malware made of the Google Play platform to affect as many mobile devices as possible. Seeing that this is a very nasty and recent development, we would like to take a deeper look at this issue in our article. After all, one of the best ways to protect your device from various infections is educating yourself about potential threats and their distribution methods.

It is somewhat confusing as to how cyber criminals manage to upload their malicious apps on Google Play. After all, this app store should be safe, and users should not think twice before downloading something. And it is true that Google removes malicious apps almost as soon as they are discovered, but there is always this time frame before the detection that is enough for a few users to download these malicious apps. Seeing that the criminals are making use of a wide range of keywords to lure unsuspecting users, it could be pointless to try and guess the type of malicious apps that could be uploaded to reliable sources.

For example, if we take at look at the latest malicious applications that were uploaded for crypto-currency mining, the apps were identified as Recitiamo Santo Rosario Free and SafetyNet Wireless App. The apps were detected by Trend Micro, and the researchers also have specific names for these apps, namely ANDROIDOS_JSMINER and ANDROITOS_CPUMINER. As you can tell from the names, they obviously show that the applications are created for mining purposes. On top of that, the apps are rather random, seeing how one is supposed to help you recite a rosary, and the other should ensure “safe” wi-fi connection. Needless to say, these apps do not do anything of the sort.

In order to avoid getting detecting by Google, such apps tend to use dynamic JavaScript loading and native code injection. It is actually not the first time that security researchers detected this type of malicious activity. Similar apps using the same techniques to spread around were detected several years ago. The only difference is that the miner apps from a few years back would infect users through corrupted websites and advertisements, but this new distribution vector is more specific as it uses Google Play.

Now, why are cyber criminals so bent on mining crypto-currency, and why do they go as far as targeting Android users? Of course, you know by now that crypto-currency or digital currency does not have a physical form, but it is a very hot commodity online. For example, Bitcoin, which is probably the most well-known form of digital currency, is now insanely expensive, and the conversion rate stands at around $8200USD for one Bitcoin. Albeit Monero is not that expensive (the current price is around $130USD for a coin), it is still valuable enough for shady third parties to look for ways to mine it.

Perhaps one of the reasons anyone can mine those coins is that there is no third-party authority that would overlook the digital currency. Although that offers lower fees and unlimited global use, it also opens opportunities for cyber crooks to mine the coins surreptitiously. In order to mine the digital currency, one needs specific software and hardware. It is obviously a lot easier to come up with a software program rather than enough of hardware equipment that would help one mine digital currency. So people who employ manners are bound to exploit third-party machines to get some coins.

How are digital coins generated in general? The computers that run the mining software solve extremely complicated math problems. For each solved problem, they get a coin. Since the problems are really difficult to crack, the mining software requires a lot of processing power, and so that is the main reason users CAN recognize that their machines have been taken over by mining software. That is to say, if the system starts becomes sluggish, and the programs do not work properly, it is about time to run a security scan.

It is important to note that digital currency itself, such as Bitcoin, Litecoin or Monero, is not in any way malicious. It is the ACTS of the third parties that try to attain the currency that are classified as criminal activity. And this attack via Google Play we have mentioned in the first few paragraphs falls into the same category. The only good thing about such infections is probably the fact that digital currency miners do not intend to steal personal data or virtually destroy the affected device. Of course, it does not mean that one should keep such programs on their devices. After all, eventually the device can easily crash because the program takes up system resources to the fall.

What’s more, news reports point that it is hard to say whether this Monero mining app is lucrative. The exact number of downloads to particular devices has not been reported. Although Trend Micro has found that cyber criminals have mine around $170 USD in digital currency through Google Play attacks, it is clear that the known figure is not complete.

Albeit the scope of these scams is not as imposing as that of ransomware infection, the presence of corrupted mining apps on Google Play means that these security loopholes can be exploited later on as well. Thus, security experts recommend exercising caution users download new apps, especially if they come from unfamiliar developers. Google will definitely pull corrupted apps offline the moment they get detected, but it is always better to safe than sorry.

Do not allow your device to get enslaved by these criminals. It is a matter of time until cyber criminals regroup and release more threats, ready to attack you any second. Security has to be ensured by more than one party. So joints efforts from you and a reliable security program are bound to decrease the possibility of a malware attack.


  1. The Canadian Press. What is a digital currency and how does cryptocurrency mining work? Financial Post.
  2. Paul Lilly. Coinhive Monero Cryptocurrency Mining Malware Once Again Invades Google Play. Hot Hardware.
  3. Jason Murdock. Google Play Store plagued by hidden cryptocurrency mining malware attacking Android phones. International Business Times.
  4. Dave Neal. Monero miner malware found lurking behind Android apps. The Inquirer.
  5. Liam Tung. Android security: Coin miners show up in apps and sites to wear out your CPU. ZDNet.
  6. Waqas. Three Monero Mining Malware Apps Found on Play Store. HackRead.