Widdit: When Mobile Mining Malware Might Be LegitDownload Case Study
We’ve seen a lot of mobile mining malware in the last month, but this latest discovery introduced a major grey area: What if mobile miners are being used as a new in-app business model? Lookout started asking this question when we came across a company called Widdit. Widdit offers a software development kit that developers use to replace the Android lock screen with a customized lock screen. We spotted Widdit using mining code in its SDK and a subsequent app we believe the company created to test this SDK. The SDK was well written and provided the advertised functionality, indicating that it was unlikely to be a cover for mining. So, as we pushed protection for our users, we reached out to Widdit to find out what was up. The result? Widdit promptly responded to Lookout’s request and removed the offending app from Google Play. The company explained that it was experimenting with mining and distributed computing. Here’s how:
What did Widdit do?
Earlier versions of the Widdit SDK had the mining code baked-in. Before they start mining, apps with the older SDK, including a “Social Lock Screen” app built by Widdit itself, checked every 60 seconds for three conditions to be true before mining:
Version A: The Old SDK Earlier versions of the Widdit SDK had the mining code baked-in. Before they start mining, apps with the older SDK, including a “Social Lock Screen” app built by Widdit itself, checked every 60 seconds for three conditions to be true before mining: 1.) The device must be charging 2.) The lock screen is active, indicating the user is likely not interacting with the device 3.) The app has been running at least 60 seconds Widdit used Litecoin-specific mining code from an open source project called LTCMiner. The mining pool it requested work from is known as "mine.pool-x.eu:8080,” the administrators of which instruct new people to “Join the crew. Bring your slaves.” Widdit chose it’s account name as “phobia” and named its workers, or bot phones, phobia.1, phobia.2, and ongoing incrementally. This structure is recommended by the mining pool admins. The operators further recommend that you set the worker password as just “x”.
The choice to mine Litecoins was a strategic one. Mining Litecoins on Android is easier than Bitcoins for a couple of reasons: 1.) For the most part, only CPU mining is available on Android. 2.) Bitcoin difficulty is too high for effective CPU mining.
Version B: The New SDK As the SDK evolved, so did the mining code. The later version of the SDK downloaded the mining code dynamically along with additional code at runtime. This has legitimate benefits, of course. It means developers using the SDK do not have to update their apps every time the Widdit SDK is updated. It also means most developers have no idea that Litecoin mining code is included with the SDK. It was not communicated anywhere on the Widdit website or in any terms of service. This could also be tactic to get around Google’s security scanner Bouncer in that the actual “bad” code doesn’t exist until after it has gone through the scanning process. The process reminds us of Badnews, a piece of malware we found last year that posed as an advertising network SDK, but later pushed “ad-like” notifications to download a malicious application. Of course, it hid this until after it was out of Bouncer. Bouncer is getting more sophisticated, however. We predict people who want to slip past Bouncer are developing more nuanced ways of hiding their malicious behaviour in the review process.
Both versions of the SDK shared the same conditions for mining except for one addition in version B: mining had to be enabled in the configuration downloaded from Widdit's servers. The request URL for the configuration was http://cdn3.widdit.com/screenalyze/pub/<publisher ID>/<homebase ID>/settings/xlarge.json Mining requires "enableDC" to be set to "1". The configuration looks like:
// many more lines ...
What did Widdit say?
Widdit explained to us that it was experimenting with distributed computing on mobile and decided not to follow the monetization model. As a result, the company began cleaning up it’s experimental apps. It claims to have “missed” the Social Lock Screen app in this process. Furthermore, the company claims that the code used in the SDK is actually geared toward scientific research functionality, similar to BOINC, which uses distributed computing to study a number of different scientific topics. This is hard to believe given that the code involved was actually an open source Litecoin miner, but certainly the company could have had intentions of moving in this direction or that the code was once BOINC-like. We did not observe this. Widdit stressed to us that it is also cleaning up its HomeBase SDK. The company says the mining code was never actually called out or put into real use. We verified that the mining code is no longer being downloaded in the current version of the SDK on May 13, 2014.
Mining as a business model
Like advertising, mining is another opportunity, albeit an inefficient one, to make money on mobile. There’s a chance that some companies might want to replace their advertising revenue with mining, which can be less intrusive if done right. It’s a trade-off: instead of seeing banner ads and having your information collected, you might hand over some of your battery and computing power. In an effort to preserve that business potential, we gave Widdit the benefit of the doubt and we’re glad we did. Though, we have and will flag miners in the future, we believe that in order to be a legitimate miner, you need to blatantly alert the user to your intentions -- a sentiment we shared with Widdit. We understand that businesses will always be experimenting with technology. That’s why we aim to investigate and collaborate with companies if they give us a reason to believe in their legitimacy.