Cybercriminals are increasingly hijacking other people’s devices to mine Monero (XMR), in a trend now called cryptojakcing. According to Malwarebytes, a “drive-by” mining campaign recently redirected millions of Android users to a website that hijacked their devices to mine the privacy-centric cryptocurrency using Coinhive .

The campaign worked by redirecting users to a page that told them their device was “showing suspicious surfing behavior.” As such, they needed to verify they were human by solving a CAPTCHA, while their device was used to mine Monero “in order to recover server costs incurred by bot traffic.”

All users had to do was solve the CAPTCHA and click a “continue” button. Once solved, they would be redirected to Google’s home page, which researchers noted was an odd choice. Malwarebytes details that it first spotted the “drive-by” campaign last month, but that it could’ve been around since November 2017. The exact trigger that captured users isn’t clear, but researchers believes infected apps with malicious ads did the trick.

Their post reads:

“While Android users may be redirected from regular browsing, we believe that infected apps containing ad modules are loading similar chains leading to this cryptomining page. This is unfortunately common in the Android ecosystem, especially with so-called “free” apps.”

Malwarebytes researchers weren’t able to identify all the domains users were being redirected to. They managed to identify five domains, and concluded that these received about 800,000 visits per day, with an average of four minutes spent mining, per user.

To find out the number of hashes being produced, researchers note, a conservative rate of 10h/s was used. This low hash rate, coupled with the four minute average spent on time, means the hackers behind it could only be making “a few thousand dollars” per month.

The Cryptojacking Trend

Notably, researchers discovered the drive-by campaign while studying a separate malware dubbed EITest. They were testing various chains that often led to tech support scams on Windows, but soon found that things were different when using Android.

The ongoing cryptojacking trend seemingly began when torrent-index website the Pirate Bay started using it as a potential alternative to ads. Since then, bad actors took advantage of the code Coinhive provides to mine Monero, and used it on Google Chrome extensions, UFC’s website, and even Starbucks’ Wi-Fi.

While on their PCs users can block cryptocurrency mining scripts by using anti-malware programs on their machines and browsing the web through browsers with inbuilt tools like Opera and Brave, Android users are advised to stick to Google’s Play Store, and use security software.

Featured image from Shutterstock.