We uncovered a new Android malware that can surreptitiously use the infected device's computing power to mine Monero. Trend Micro detects this as ANDROIDOS_HIDDENMINER. This Monero-mining Android app’s self-protection and persistence mechanisms include hiding itself from the unwitting user and abusing the Device Administrator feature (a technique typically seen in SLocker Android ransomware).

We further delved into HiddenMiner and found the Monero mining pools and wallets connected to the malware, and learned that one of its operators withdrew 26 XMR (or US$5,360 as of March 26, 2018) from one of the wallets. This indicates a rather active campaign of using infected devices to mine cryptocurrency. HiddenMiner uses the device’s CPU power to mine Monero. There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted. Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail.

This is similar to the Loapi Monero-mining Android malware, which other security researchers observed to have caused a device’s battery to bloat. In fact, Loapi’s technique of locking the screen after revoking device administration permissions is analogous to HiddenMiner’s.

HiddenMiner is found in third-party app marketplaces. So far, it’s affecting users in India and China, but it won’t be a surprise if it spreads beyond both countries.

Figure 1. Screenshot for one Monero wallet address’s status

Infection Chain

HiddenMiner poses as a legitimate Google Play update app, popping up as com.google.android.provider complete with Google Play’s icon. It requires users to activate it as a device administrator. It will persistently pop up until victims click the Activate button. Once granted permission, HiddenMiner will start mining Monero in the background.

Figure 2. The malicious app’s screen requiring users to activate it as device administrator

Technical Analysis

HiddenMiner uses several techniques to hide itself in devices, such as emptying the app label and using a transparent icon after installation. Once activated as device administrator, it will hide the app from the app launcher by calling setComponentEnableSetting(). Note that the malware will hide itself and automatically run with device administrator permission until the next device boot. The DoubleHidden Android adware employs similar techniques.

Figure 3. An illustration of how HiddenMiner hides itself: an empty app label and transparent icon after installation (left), then disappearing once granted device administration permissions (right)

HiddenMiner also has anti-emulator capabilities to bypass detection and automated analysis. It checks if it’s running on an emulator by abusing an Android emulator detector found on Github.

Figure 4. Code snippet showing how HiddenMiner bypasses Android emulators based on our sandboxing detection and analysis

Figure 5. Code snippet showing how HiddenMiner mines Monero

Abusing Device Administration Permission

Users can't uninstall an active system admin package until device administrator privileges are removed first. In HiddenMiner’s case, victims cannot remove it from device administrator as the malware employs a trick to lock the device’s screen when a user wants to deactivate its device administrator privileges. It takes advantage of a bug found in Android operating systems except Nougat (Android 7.0) and later versions.

Figure 6. Code snippet showing how HiddenMiner prevents removal of device administrator privileges

Google resolved this security issue in Nougat and later Android OSs by reducing the privileges of device admin applications so they can no longer lock the screens (if it is part of the app’s feature). Device admin will no longer be notified via the onDisableRequested() context. These tactics aren’t new: certain Android ransomware and information stealers (i.e. Fobus) employed these to gain a foothold in the device.

Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave. For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.

Trend Micro Solutions

Trend Micro™ Mobile Security for Android™ (also available on Google Play) blocks malicious apps that may exploit this vulnerability. End users and enterprises can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.

For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

Trend Micro’s Mobile App Reputation Service (MARS) covers Android threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

Indicators of Compromise

Related hashes (SHA-256) detected as ANDROIDOS_HIDDENMINER (package name as com.android.sesupdate):

7FBF758FEAF4D992B16B26AC582A4BDCFC1A36B6F29B52FC713A2B8537F54202

E62C034516F28A01ABD1014D5D9CAA7E103AE42C4D38419C39BC9846538747FA

975A12756CA4F5E428704F7C553FD2B2CCC12F7965DD61C80BEC7BCBA08C1B37

FD30B04CE4A732FB830A03C1A0AC0FBB0972C87307E515646239B0834156FA0E

D21899BDAB5B1D786D8FC6C133385650A4CDA2B71A394B1F8DDC5C0EC39F1523

BF9C41EE9D4A718F6B6958EC2E935395E79882B0EBEE545E2C84277DBA70A657

B924A8EC7CFC1D5DDD9828467D7FC583FA6B35F441170D171C7A084FFD1799AD

B40E2EEF49EDB271BBA2E5AD15C773E6EBDF4BFE5822AD93DDFE20847B8F9D67

419629E1644B0179F0AE837FE3F8D80C6E490A59838E485EEDA048BF8DF176D2

3039B2FF2E1EDB522FFADAEAED8B0CEE1519CFA56FABE7CE6F0F6A50816D026D

1C24C3AD27027E79ADD11D124B1366AE577F9C92CD3302BD26869825C90BF377

0156051E50544F9F725B75E32E0ACE888E53FBC79CAC50835B9A9EB39F0FCA84

Monero mining pools and wallets/addresses related to HiddenMiner: