Cryptocurrency miners are posting extremely detailed and legitimate looking hacking apps that are in fact trojans designed to spread the Coinhive cryptocurrency miner.
Malwarebytes' researcher Nathan Collier detailed one such campaign that is designed to attract a nefarious actor who is searching for a way to hack into a specific app. These hacking apps are usually used to obtain an app for free or gain, but the person who created the Trojan uses a combination of excellent social engineering in combination with some rather initial execution that comes together to inject the miner without the victim knowing what has happened. Along with some other malware.
The example used focused on an app designecd to hack into the ride-sharing app Lyft. A browser search turns up the hacking app.
“There, right at the top of the results, is the link to the hack app you desire. You decide to play it safe and navigate to the source domain rather than the direct link to the hack app. It's a clean but simply looking website called androidapk.world,” Collier wrote
With everything looking legit the target clicks on the link and is taken to a well-designed page with all the proper descriptions in place.
At this point a few red flags appear, Collier noted. The first is a message that another link has to be clicked to reveal the premium content desired. This should scare off most people, but if the person decides to proceed. The three links all lead to other web pages that have nothing to do with obtaining the desired Lyft hack app. Instead it appears the app downloaded is nothing more than clickjacking, which generates a minor profit for the app creator.
But that is just the cover for other actions that are taking place.
Once the victim realizes he or she has been had, it is easy enough to uninstall the fake hacking app from the devices app manager. And while the malicious app can be removed it has already been mining.
“So far, the attempts to dupe users seem bush league. Meanwhile, the true malicious intent has been running in the background all along. During the entire process of clicking through redirect links, the user may notice their mobile device being a tad slow. That's because a bitcoin miner has been running the whole time. Under the Java class com.coinhiveminer.CoinHive is a Monero JavaScript miner. Thus, we classify this bogus hack app as Android/Trojan.CoinMiner.kki,” Collier said.
Then, as if to add insult to injury, the fake hack app installs adware on the device serving pop ups.