Researchers scouring the official Google Play market have unearthed more Android apps that surreptitiously abuse end-user devices to carry out the computationally intensive process of mining Bitcoins.

six

The malware, dubbed "BadLepricon" by its creators, was stowed away insidefive separate wallpaper apps that had from 100 to 500 downloads each, according to a blog post published Thursday by researchers from Lookout, an anti-malware provider for smartphones. Google employees promptly removed the offending apps once Lookout reported them. It's at least the second time in a month that third-party researchers have discovered cryptocurrency-mining apps available for download on Google servers. Four weeks ago, researchers from Trend Micro reported they found two apps downloaded one million to five million times that mined the Litecoin and Dogecoin cryptocurrencies without explicitly informing end users.

"These apps did fulfill their advertised purpose in that they provided live wallpaper apps, which vary in theme from anime girls to 'epic smoke' to attractive men," Meghan Kelly, a Lookout security communications manager, wrote in Thursday's blog post. "However, without alerting you in the terms of service, BadLepricon enters into an infinite loop where—every five seconds—it checks the battery level, connectivity, and whether the phone’s display was on."

Laying low

The Bitcoin mining happened only when the battery level was at 50 percent or higher, presumably as a means to prevent infected users from knowing that their device was running the mining code. While the cautious checking of battery reserves, connectivity, and display may have prevented the miner from running continuously, the secret code likely took its toll. Bitcoin mining places extreme processing demands on hardware, causing devices to slow down and generate much more heat than would be the case otherwise. As with some of the offending apps in Google Play since the middle of February, BadLepricon represents a menace to users. It also underscores the continuing inadequacy of "Bouncer," the cloud-based scanner Google unveiled in early 2012 to scour the Play market for malicious apps.

As an interesting side note, BadLepricon was endowed with features that indicate the malware family wasn't a casual undertaking by its developers. The inclusion of a stratum mining proxy allows the operators to easily join, leave, or change mining pools that individual miners form to work in unison with others. Stratum makes it easier to connect to Bitcoin wallets and to do so in a pseudo-anonymous fashion. BadLepricon also includes a feature known as WakeLock that makes sure infected devices don't go to sleep when their display is turned off.

The regular discovery of malicious and fraudulent apps available in Google Play is troubling for Android users who depend on their devices to send and receive sensitive e-mails and messages, store contemporaneous records of their whereabouts, or work reliably without being bogged down by secret code. It also raises a question: If third parties can detect these apps so frequently why can't Google beat them to it?