Threat Research

A Mobile Bitcoin Miner? Really?

By Axelle Apvrille | February 25, 2019

This is the second time this year that I have bumped into an alleged "Bitcoin Miner" for Android. Just in case you were wondering, mining for BitCoin on an Android smartphone (even on a high end device) is not feasible, and all of these apps are scams (if not worse).

1. Bitcoin Mobile Miner - 

 5b96c6ef5fcdd632e051c3df2c0c7f4149dceffdc1713bf84bc855de9356119b

The first one I noticed was discovered on January 10th, 2019. It is named "Bitcoin Mobile Miner" and promises fast gains.

It also kindly monitors your CPU & Battery temperatures, and advises you to close the app if your mobile phone gets too hot.

This is a cunning strategy for the attacker to mine more intensively: it asks for the victim’s cooperation! As the victim thinks s/he is mining for him/herself, the strategy will probably work...

Illustration 1: Advises victim to check CPU & battery temperature

Here is the code monitoring the device’s CPU temperature:

public float getCpuTemp() {

        float v4;

        try {           

            Process v2 = Runtime.getRuntime().exec("cat sys/class/thermal/thermal_zone0/temp");

            v2.waitFor();

            v4 = Float.parseFloat(new BufferedReader(new InputStreamReader(v2.getInputStream())).readLine()) /

 1000f;

        }

Unlike the other app reviewed in this analysis, this one actually mines for cryptocurrency—but not for Bitcoins. It mines for Monero, which is far less CPU-intensive. And not for your own account, but for the attacker's—who has registered the CoinHive key QnXbx7vLFIUq9FT0kfNZSjBkUD0GCcqi for that purpose. (As a reminder, CoinHive is a well-known mining API in JavaScript frequently abused by cybercriminals for cryptojacking.)

2. Bitcoin Miner -

be4f08d244dcb57bfbb507042c221b8a8748e9d292fd881f90316414f03c3242

The second fake Android app was discovered on February 3, 2019, though it might have been on some marketplaces since December 2018.

This one simply does not mine for anything, but it does display several ads. So, it is basically an adware wrapped in a nice looking mining application where a miner collects bitcoins...

The application makes a lot of effort to seem legitimate:

  1. The website (below) has a professional look (the link to the Play Store is broken though, as the application has been removed from the marketplace).
  2. There is a support email.
  3. There is a Privacy Policy.
  4. There is an option "Personalized advertising GDPR" ;-)
  5. You can get "Upgrade Plans" to mine faster (!!) by rating the app or purchasing it. Actually, you get upgraded to the "Demo Premium Plan" even if you do not rate the app ;)

The bitcoins withdrawal feature is also fake. The code is quite explicit: once you request a payment, the app simulates the transaction flow. At the beginning, the transaction will be marked "Pending". Then 5 days later, it changes its status to "Approved". Then 5 days later to "In Processing", and finally to "Sent".

If (ref.balance_unreal > 0f) {  // if balance is positive

    TextView tv = new TextView(this);

    tv.setTextColor(App.getContext().getResources().getColor(resource));

    long timediff = System.currentTimeMillis() - ref.balance_unrealtime;

    if (timediff < 432000000) {  // 5 days

        tv.setText(i.displayDate(ref.balance_unrealtime) + "  Pending: " + i.displayFloat(ref.balance_unreal));

    }   

    else if(timediff < 864000000) {

        tv.setText(i.displayDate(ref.balance_unrealtime) + "  Approved: " + i.displayFloat(ref.balance_unreal));  // 10 days

    }   

    else if(timediff < 1296000000) {        

        tv.setText(i.displayDate(ref.balance_unrealtime) + "  In Processing: " + i.displayFloat(ref.balance_unreal));  // 15 days

    }   

    else {

        tv.setText(i.displayDate(ref.balance_unrealtime) + "  Sent: " + i.displayFloat(ref.balance_unreal) + "\nTrans id: " + g.generateRandomTransactionId() + "..");  // more than 15 days

            }

    this.llWithdrawals.addView(((View)tv));

    }  

Last but not least, we noticed lots of dummy functions in the code to make analysis more difficult. The following is an example of one of these functions:

public static void dummy() {  // [does nothing except confuse the reversing... ;)]

        inr v1 = 10;
        int v4 = 0;
        int v2 = 356421020;
        int v3 = 0x7601C42E;
        int v0 = 20;
        int v5;
        for(v5 = 0; v5 < v0; ++v5) {
             v1 += -10;
             if(v1 < 0) {
                v1 += 20;
                ++v3;
                ++v2;
             }
            else {
                  v3 = v3;
                  ++v2;
            }
        }
        new SecureRandom().nextFloat();
        for(v0 = 0; v4 < 18; ++v0) {
             v4 += v0;
        }
    }

Conclusion

Whatever happens, remember that any application which claims to "mine Bitcoins" on a smartphone is suspicious.

– the Crypto Girl

Fortinet detects both applications with the following:

  • 5b96c6ef5fcdd632e051c3df2c0c7f4149dceffdc1713bf84bc855de9356119b as Riskware/CoinHive!Android
  • be4f08d244dcb57bfbb507042c221b8a8748e9d292fd881f90316414f03c3242, 0a8e1072a288f23ffa4d7f6978b37bbc979b26ee9d21421c4797818bd1efe93d and b79d13e426498b442995ffd4f6142efe1d28456b92f814338ee7454d9f252ecf as Riskware/FakeMiner!Android