60 Million Android Users Hit By Cryptocurrency Miner

Malvertising is a problem. Cryptocurrency-mining malware is a problem. Put them together, and you’ve got a really, really big problem.

A new malvertising campaign is targeting Android users, forcing their phones to mine cryptocurrency, for as long as it can keep them captive on a shady website. The good news is that the scam is easy to avoid; the bad news is that if you fall victim, it could damage your phone permanently.

Credit: Google

(Image credit: Google)

Malwarebytes Labs, a Santa Clara, California-based security firm, discovered the scheme, then wrote about it on the company blog. According to security researcher Jérôme Segura, the attack is an example of "drive-by mining," in which a malefactor exploits a device to mine cryptocurrency (in this case, Monero, or XMR) for just a short period of time.

While Malwarebytes didn't specify which sites might be carrying the dangerous ads in question, at least one of them must be pretty popular. Dr. Augustine Fou, working alongside Malwarebytes, discovered that more than 60 million visitors have visited the malicious domains, and spent an average of four minutes on the page. That's probably equivalent to a few thousand dollars in Monero — and a lot of overtaxed Android CPUs.

What's the Worst That Could Happen?

Since the website leverages your phone only for a minute or so and doesn’t leave any traces on your phone, it may seem relatively harmless. However, cryptocurrency mining is a heavy-duty operation even on a gaming rig; on an Android phone, it can be a death sentence. Monero mining runs the phone’s CPU at 100 percent indefinitely, which can cause the chip to overheat. Left unchecked, this can brick your entire phone — or, more accurately, make part of it melt.

In other words, running the website for a minute or two at a time is bad enough, but imagine what would happen if you didn’t notice the ad, or accidentally forgot to close it, or walked away from your phone while it opened.

How to Protect Yourself

The best way to prevent this page from compromising your phone is to run an Android antivirus suite. (Malwarebytes recommends its own mobile software, but any program worth its salt will block unwanted pop-under ads.)

f you don’t use an Android AV program, you can’t necessarily “avoid” the attack — malvertising is so insidious, because it can show up on the normally safe pages you use every day —  but you can mitigate the damage dealt. As soon as the page pops up, shut your browser immediately, then notify the site you were using about the dangerous advertisement.

MORE: Best Android Antivirus - Top Free and Paid Mobile Security

How the Attack Works

Here’s how the attack works: First, a user encounters a malicious ad on an otherwise-legitimate site. The ad determines what browser a user is running, and by extension, what OS. If the ad detects Android, it redirects the user to a malicious page, which claims that the phone is “showing suspicious surfing behavior.” Users have to input a captcha to “verify [themselves] as human.”

You’ve seen similarly shady pages if you’ve spent any time in an Android browser, but this one has a catch: It states that until users complete the captcha, it will "mine the Cryptocurrency (sic) Monero for us in order to recover server costs incurred by bot traffic."

The part about recouping server costs is nonsense, of course, but the cryptocurrency mining is not. For as long as a user remains on the page, the webpage will leverage the phone’s CPU to mine Monero. Interestingly, though, once the user enters the captcha and taps Continue, it redirects him or her to Google, and ceases its mining operations. It doesn’t appear to steal any personal information.

A Worrying Precedent

This particular cryptocurrency mining scam is easily defeated, but it still sets a worrying precedent. If cryptocurrency miners can spread via malvertising, it’s not so easy to protect yourself against them. And if a really clever one figures out a way to run without your knowledge, your phone could be physically ruined before you ever had a chance to address it.

For now, if you have an Android phone, your best bet is to run an antivirus suite, which will stop a lot of this stuff dead in its tracks before it ever hits your screen. And, if you’re really interested in mining cryptocurrency, I have an incredible bridge for sale in Brooklyn that might also interest you.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.