In order to add to their stockpiles, criminals are getting really inefficient: turning phones into digital currency-mining bots. We recently saw several versions of this malware family we call CoinKrypt, which is designed to hijack your phone in order to use it to mine digital currency for somebody else. So far we have only found CoinKrypt in Spanish forums dedicated to the distribution of pirated software. Digital currencies are acquired through a few avenues. You can buy them on their respective markets, but you can also perform a process called “mining.” By mining you allow the digital currency to use your computer’s resources to validate waiting transactions. Only when a transaction has been validated in this way can it be added to the blockchain. As payment for lending your computing time to the network the network rewards miners with newly created coins.
The process is possible for any ordinary computer or smartphone using a special piece of software. While it doesn’t steal any information from your phone, mining can be incredibly resource-intensive and, if allowed to run without any limits, could potentially damage hardware by causing it to overheat and even burn out. As a minimum, users affected by this malware will find their phones getting warm and their battery-life massively shortened. Another added annoyance? CoinKrypt might suck up your data plan by periodically downloading what is known as a block chain, or a copy of the currency transaction history, which can be several gigabytes in size. Currently detection levels are very low for this threat and although distribution appears to be primarily through shady Spanish forums most of the detections are in France . If you’ve got Lookout, don’t worry about your phone becoming a slave to this criminal’s mining operation. You’re completely protected.
Targeting low-hanging fruit
As malware goes, CoinKrypt is about as basic as they come. Comprised of just three small program sections or classes embedded in the target app, all it really does is kick off the mining process. However this lack of complexity is part of what makes it dangerous. Normal mining software is set up to throttle the rate at which coins are mined to protect the hardware it is running on. This includes no such protection and will drive the hardware to mine until it runs out of battery. Overheating associated with this kind of harsh use can also damage hardware. We’ve seen it targeting Litecoin and Dogecoin yet ignoring the much more popular Bitcoin. This leads us to believe this criminal is experimenting with malware that can take advantage of lower-hanging digital currency fruit that might yield more coins with less work. With the price of a single Bitcoin at $650 and other newer currencies such as Litecoin approaching $20 for a single coin we are in the middle of a digital gold rush. CoinKrypt is the digital equivalent of a claim jumper. Why target Dogecoin or Litecoin and not the much more profitable Bitcoin? In order to control the rate at which new digital coins are minted, the software that runs the currency sets a difficulty rate which governs just how much processing power you need to expend in order to solve the blockchain and get new coins. The difficulty for Bitcoin is so tough right now that a recent mining experiment using 600 quadcore servers was only able to generate 0.4 bit coins.
Table comparing mining difficulties between digital currencies as of 3/14/14 As you can see from the table above, it is almost one million times easier to mine Litecoin than Bitcoin and over 3.5 million times easier to mine Dogecoin. Despite the fact that this malware author was likely targeting the lower hanging digital currency fruit, mining likely isn’t worth the return on investment for this malware.
When we tested the feasibility of mining using a Nexus 4 by using Android mining software such as the application “AndLTC”, we were only able to attain a rate of about 8Kh/s - or 8,000 hash calculations per second, the standard unit of measure for mining. Using a Litecoin calculator and the difficulty setting mentioned above we can see that this would net us 0.01 LTC after seven days non stop mining. That’s almost 20 cents. This is probably why the latest samples we have found are now targeting an even newer, or lesser-used digital currency. While mining as a strategy hasn’t paid off for these malware authors, as these digital currencies continue to grow, we predict that the number of new malware families targeting them will also continue to grow as malware authors experiment with various different strategies in their desire to cash in. Check out our suggestions on how to stay safe:
- Make sure the Android system setting ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download app installs
- Download a mobile security app like Lookout’s app that protects against malware as a first line of defense