HiddenMiner mining malware may shut down devices

Malware ‘HiddenMiner’ Mines Monero Until Device Fails

During an ongoing cryptojacking trend, researchers at cybersecurity firm Trend Micro recently found a cryptocurrency mining malware they dubbed HiddenMiner that drains the phones it infects so badly it can force them to break down. The malware was found mining Monero (XMR), a privacy-centric cryptocurrency.

According to researchers, the sophisticated mining malware masquerades as a legitimate Google Play update so it can get users to install it. Once installed, it requires users to activate it as a device administrator, and shows persistent pop-ups that bug the user until the activation button is pressed.

Then, HiddenMiner springs into action and starts using the device’s CPU resources to mine Monero for the hackers behind it. Per Trend Micro, the mining malware mines continuously until the device is overheated and consequently shuts down.

The firm’s blog post reads:

“There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted. Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail.”

HiddenMiner can be found in third-party app stores, and is currently targeting users in India and China, two countries in which third-party apps are fairly popular. It’s similar to a malware known as Loapi.

Loapi, however, didn’t just used the target’s CPU power to mine Monero. It also conducted distributed denial of service (DDoS) attacks that caused the device’s battery to budge, leading to its destruction.

HiddenMiner is a profitable mining malware

Trend Micro researchers noted that they were able to find the mining pool the cybercriminals were using, and at least one wallet. Per their blog post, on March 26 the attackers withdrew 26 XMR, worth over $5,000, from their wallet. This means HiddenMiner is a profitable cryptocurrency mining malware.

To avoid being detected and maximize mining gains, the malware manages to hide its operations using anti-emulator capabilities, which help it bypass detection. It also hides itself in user’s devices, by emptying the app label and using a transparent icon after being installed.

Trend Micro researcher Lorin Wu added:

“For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.”