Monero-mining Android malware will exhaust your phone in its quest for cash.
A new strain of Android malware will continuously use an infected device's CPU to mine the Monero cryptocurrency until the device is exhausted or even breaks down.
Security company Trend Micro has named the malware HiddenMiner because of the techniques it uses to protect itself from discovery and removal.
Like most cryptocurrency-mining software, HiddenMiner uses the device's CPU power to mine Monero. But Trend Micro said that because there is no switch, controller, or optimizer in HiddenMiner's code it will continuously mine Monero until the device's resources are exhausted.
"Given HiddenMiner's nature, it could cause the affected device to overheat and potentially fail," the company said.
If the researchers' concerns are correct, this is not the first cryptocurrency-mining malware to put your smartphone at risk: last year the Loapi Android malware worked a phone so hard that its battery swelled up and burst open the device's back cover, wrecking the handset within 48 hours.
Trend Micro said the two pieces of malware share similarities, noting that Loapi's technique of locking the screen after revoking device administration permissions is analogous to HiddenMiner's.
Researchers at the company identified the Monero mining pools and wallets connected to the malware, and spotted that one of its operators withdrew 26 XMR -- around $5,360 -- from one of the wallets. This, they said, indicates a "rather active" campaign of using infected devices to mine cryptocurrency.
HiddenMiner poses as a legitimate Google Play update app, and forces users to activate it as a device administrator. It will persistently pop up until victims click the Activate button; once granted permission, HiddenMiner will start mining Monero in the background.
It also attempts to hide itself on infected devices, for example by emptying the app label and using a transparent icon after installation. Once activated as device administrator, it will hide the app from the app launcher. The malware will hide itself and automatically run with device administrator permission until the next device boot. HiddenMiner also has anti-emulator capabilities to bypass detection and automated analysis.
It's also hard to get rid of: users can't uninstall an active system admin package until device administrator privileges are removed first. But HiddenMiner locks the device's screen when a user wants to deactivate its device administrator privileges, taking advantage of a bug found in Android operating systems before Android 7.0 Nougat.
Trend Micro said that HiddenMiner is found in third-party app marketplaces and is affecting users in India and China, but it won't be a surprise if it spreads beyond these countries.
The emergence of this malware should reinforce the need for mobile security hygiene, said Trend Micro: download only from official app marketplaces; regularly update the device's OS, and be careful about the permissions you grant to applications.