Drive-by cryptomining campaigns were spotted targeting millions of Android devices via infected apps and malicious browser redirects.
Malwarebytes researchers detected a series of attacks that began around November 2017 in which several Android were targeted redirecting to a specifically designed page performing in-browser cryptomining, according to a Feb. 12 blog post.
The technique appears automated and users were left on a page presenting them with a CAPTCHA to solve in order to prove that they aren't bots, all while running the cryptomining software in the background.
Users are often redirected from adult sites or sites that draw a lot of traffic and serve low quality advertisements as well as from infected apps containing ad modules leading to the cryptomining page. The malicious apps are often “free apps” found within the Android ecosystem, researchers said.
The threat actors behind the campaign may be going after low quality traffic instead of serving typical ads that might be wasted and are looking to make a profit using a browser-based Monero miner.
The researchers identified several identical domains all using the same CAPTCHA code, and yet having different Coinhive site keys and said that it's difficult to determine how much currency the operation is yielding without knowing how many other domains (and therefore total traffic) are out there.
“Forced cryptomining is now also affecting mobile phones and tablets en masse—not only via Trojanized apps, but also via redirects and pop-unders,” researchers said in the report. “While these platforms are less powerful than their Desktop counterparts, there is also a greater number of them out there. “
Malwarebytes researcher Jerome Segura told SC Media whoever set up the infrastructure for the malware registered their domains via privacy services and that they don't know who is behind the malware.
“Mobile-based cryptomining is not that different at all from what we observe on PCs, apart from the different hash rate a mobile device may produce, which is also one of the characteristics of drive-by mining in that it is not platform specific,” Segura said.
Overall infecting users is a numbers game with threat actors standing to make more money the more users they infect. Recently more than 5,000 UK government sites were hit by a ryptocurrency mining campaign.