The malicious deployment of in-browser JavaScript-based cryptocurrency mining scripts has continued the past week, and we've seen them reach Android applications on the official Google Play Store, but we've also seen the first mass-deployment as part of a botnet of hacked WordPress sites.
While there are
multiple players on the JS-based cryptocurrency mining market, Coinhive continues to remain the
attackers' top choice, as we've seen this week after the launch of the
WhoRunsCoinhive service.
Coinhive found in Android apps
Most desktop users already run an ad blocker or antivirus that can block these scripts. The same cannot be said for mobile devices, where most users still don't use an antivirus on a regular basis, nor do they install ad blockers in their mobile browsers.
This is why Trend Micro's discovery of two apps that deploy a Coinhive mining script is worrisome.
The two apps, now removed from the official Play Store, are named "Recitiamo Santo Rosario Free" and "SafetyNet Wireless App." Both of these apps deploy a copy of the Coinhive miner inside a hidden WebView browser.
While the user keeps the two apps open, the miner runs, forcing phone resources to work at their max and mine Monero for the apps' authors.
The problem is that the apps do not request permission to do so, and cryptocurrency mining behavior will surely lead to the device overheating, a reduced battery life, reduced performance, and a general wear and tear on the device's physical state.
