Android Wallpaper Apps Secretly Mine Bitcoins

Matthew Broersma,
Bitcoin Green virtual money © Niyazz Shutterstock

Google has removed five smartphone wallpaper applications that used handset computing power to produce digital currency

Google has removed five Android wallpaper applications from its Play store that were found to be secretly mining bitcoins, according to security firm Lookout.

The apps were found to contain a piece of malware which Lookout calls BadLepricon, and which used the processing power of user’s smartphones to carry out the computing operations by which new bitcoins are produced. Each of the applications had been installed between 100 to 500 times when they were removed.

BadLepricon-Google-play-store1

Pooling resources

The malware linked the handsets to a network of others in order to pool large amounts of computing resources for bitcoin mining operations. The malware uses a proxy to coordinate the infected handsets, which allows its authors to change mining pools or connections, and which also conceals which bitcoin wallet is linked to the botnet.

“Miners often don’t work alone,” wrote Lookout researcher Meghan Kelly in a blog post. “They work in groups, pooling their processing resources. They collect payment as a percentage of the processing power they contribute.”

While smartphones are growing increasingly powerful, it is doubtful that they contributed much to the malware authors’ bitcoin operations, since bitcoins require large amounts of computing resources to create, Kelly said. A recent experiment found that 600 quad-core servers were only able to generate 0.4 coins per year, she wrote.

A similar piece of mobile malware discovered last month by Trend Micro, called CoinKrypt, targeted Dogecoins, Litecoins and Casinocoins, which can be produced with less computing power. The apps containing that malware, also found on Google Play, had registered between 1 million and 5 million downloads each.

One of CoinKrypt’s limitations was that it used so much computing power that it burned out infected handsets, making it relatively easy to spot.

‘Epic Smoke’

BadLepricon is more subtle, only running when a handset’s battery level is is more than 50 percent charged and the display is turned off. It uses a feature called WakeLock to ensure the handset doesn’t go into sleep mode even if the display is switched off.

The malware was attached to “live wallpaper” software apps with themes such as “Men’s Club”, “Urban Pulse”, “Epic Smoke” and “Beating Heart”, according to Lookout.

Lookout expects mobile coin mining malware to proliferate as handset power grows. “These devices are becoming more and more powerful and people are starting to come up with ways to take advantage of that power,” wrote Kelly. “We expect to see more mobile miners come to the foreground.”

Are you a security pro? Try our quiz!