HiddenMiner: Mines Monero on Android Devices While Protecting Itself From Discovery and Removal

Security firm Trend Micro has discovered a new strain of Android malware, calling it “HiddenMiner” because of the advanced techniques it employs to protect itself from discovery and removal. Like most cryptocurrency-mining software, HiddenMiner uses a device’s computing power to mine Monero. But according to Trend Micro, because there is no switch, controller, or optimizer in HiddenMiner’s code it will continuously mine Monero until the device’s resources are exhausted.

“Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail,” the company said.

This strain is not the first cryptocurrency-mining malware to put smartphone hardware at risk: last year the “Loapi” Android malware worked a phone so hard that in less than 48-hours its battery swelled up, bursting open the device’s back cover. Trend Micro said the two pieces of malware share similarities, pointing out that both HiddenMiner and Loapi lock a phone’s screen after users attempt to revoke device administration permissions.

Further, researchers have identified the Monero mining pools and wallets associated with the malware, and discovered that one of the pool operators withdrew 26 XMR — amounting to almost $5,000 — from one of the wallets. This, the firm said, indicates a “rather active” campaign of using infected devices to mine cryptocurrency.

To protect devices, Trend Micro advises users of Android devices to practice “mobile security hygiene.” This means only downloading from official app marketplaces, regularly updating a device’s OS, and being prudent with the permissions granted to applications. So far, HiddenMiner is affecting Android users in India and China, but Trend Micro says it “won’t be a surprise” if it spreads to other countries.

HiddenMiner Techniques

HiddenMiner poses as a legitimate Google Play update app, and forces users to activate it as a device administrator. The app will continue to pop up until victims click the Activate button. Once granted permission, HiddenMiner will start mining Monero in the background.

It also attempts to hide itself on infected devices by emptying the app label and using a transparent icon after installation. This allows the malware to hide and automatically run with device administrator permission until the next device boot. According to Trend Micro, HiddenMiner also has anti-emulator capabilities built-in to bypass detection and automated analysis.

It’s also hard to get rid of: users can’t uninstall an active system admin package until device administrator privileges are removed first. But HiddenMiner locks the device’s screen when a user wants to deactivate its device administrator privileges, taking advantage of a bug found in Android operating systems before Android 7.0 Nougat.

GhostMiner and Jenkins Miner

Just last week, researchers at Minerva Labs uncovered another Monero mining malware strain, which the firm dubbed GhostMiner. GhostMiner uses “fileless” malware delivery techniques to land on systems, and will fight to remove other mining malware it so it can mine Monero itself.

At the time of publication, GhostMiner had not accumulated hefty profits, but warranted attention because of its unique self-preservation methods. Monetarily, this is nothing compared to operations like the Jenkins miner, which earlier this year made its developers over $3 million in Monero.