Armor.Trojan.CryptoMiner

Category: Trojan

  • This is a threat.
  • Can cost money.
  • Potentially unwanted behavior.

Top Relevant External Sources

Summary

CryptoMiner is an Android Trojan capable of hijacking Android devices to mine cryptocurrencies for the malware author. This threat is delivered to the device as part of a repackaged application, installed by someone with physical access o the device. CryptoMiner malware has been discovered on Google Play and other third a party Android application markets and forums.

This threat is unusual in that it does not attempt to steal money or information from the victims. CryptoMiner malware only intends to hijack the processing power of the infected device to mine for cryptocurrencies. CryptoMiner malware has been observed mining the following cryptocurrencies:

  • Litecoin
  • Dogecoin
  • Casinocoin

The mining activity operates in the background of the device and begins when the malware detects that the device is connected to the internet. The malware connects to a “dynamic domain” that then redirects the default mining pool. This Trojan is capable of downloading a configuration file from a remote server that can redirect the infected device to several different mining pools.

The CryptoMiner Trojan utilized a new method to hide the malicious code from security researchers. The malware authors modified the legitimate Google Ads framework, commonly found in applications.

Devices infected with the CryptoMiner Trojans may show the following signs of infection:

  • Warm Battery
  • Overheating
  • Quickly depleted battery
  • Battery Charges Slowly
  • Unusually High data Usage

Although the CryptoMiner is not designed to steal information or money from the victim it is potentially dangerous and may cause irreparable damage to the device. Armor for Android recommends that this threat be uninstalled immediately.

Additional Details

Package Name:
com.originalsongs123
com.socialtokenmobile.prized.android

First Detected:
March 2014

File Type:
APK (Android application package file)

SHA256:
COMMENTS

Permissions:
Access location information, such as Cell-ID or WiFi
Access location information, such as GPS information
Access information about networks
Access information about the WiFi state
Connect to paired bluetooth devices
Initiate a phone call without using the Phone UI or requiring confirmation from the user
Access list of accounts in the Accounts Service
Access information about currently or recently running tasks
Open network connections
Read user’s calendar data
Read user’s contacts data
Check the phone’s current state
Start once the device has finished booting
Send SMS messages
Make the phone vibrate
Prevent processor from sleeping or screen from dimming
Create new calendar information
Create new contact data
Write to external storage devices

Repair Instructions

Users should be careful when downloading applications from third party Android markets.

Always review application permissions to make sure no unusual permissions are being requested.

Android users should only download applications from a trusted source.

We advise Android users to download and use antivirus software to keep their android device and personal information safe.

Armor for Android Uninstall:

  • Scan your device using Armor for Android
  • Click the Fix Now button
  • Select the threat from the scan results
  • Click the Uninstall button

Manual Uninstall:

  • Open the Android Menu
  • Go to Settings
  • Select Applications
  • Select Manage Applications
  • Select the infected application and click the Uninstall button

Android Malware Write-up By: James Green