Malicious cryptocurrency mining is a fast-growing threat in 2018, surpassing ransomware as the favorite choice of cybercriminals. The rising value and steady availability of digital currencies, such as Bitcoin and Monero, offer attackers low risk with high returns and is driving this surge. Cybercriminals deploying cryptocurrency mining techniques more commonly target servers or laptops, but in many cases, they are also turning to mobile devices. This poses a threat to both subscribers and mobile network operators.
Palo Alto Networks Unit 42 threat intelligence team has been following the rise of malicious cryptocurrency mining and described the trend in the blog post What’s Driving the Shift to Cryptocurrency Mining Malware. In another post, Rise of the CryptoCurrency Miners, Unit 42 researchers described a Monero campaign that infected around 15 million systems. If these systems remained infected for at least 24 hours each, the attackers could have earned well over $3 million.
Cryptomining malware works by taking over the CPU processing power of the infected device to mine cryptocurrency. In many ways, mobile phones are unattractive targets - their processing power is very limited compared to a laptop or server. However, the vast number of active mobile devices globally – now estimated at 7.8 billion - greatly outnumber the estimated 1 billion Windows laptops by almost eightfold. The lack of security on most mobile phones, the eagerness with which subscribers download applications, and the seeming ease with which malicious actors can embed malicious code into websites and application stores make malicious cryptocurrency mining on mobile devices increasingly easy for malicious actors.
Cryptocurrency miner malware can be devastating to mobile devices, where battery resources are limited. The malware overtaxes the CPU so much that irreparable damage can be done to mobile phones in as little as two days. Unlike ransomware, cryptomining can often go undetected by the mobile subscriber. Cybercriminals have cleverly engineered the malicious site and the malware to appear to be legitimate, thereby hiding their malicious activities. The depleted battery life or overheated, malfunctioning phone will be a mystery to the subscriber, who is unlikely to attribute it to a malicious action. The malicious app also generates data traffic, which can give rise to additional costs for users on mobile tariffs that do not have unlimited data volumes. Yet even this small additional cost will likely not be associated by the subscriber with any device infection.
For mobile network operators, it is particularly difficult to correlate subscriber churn, complaints on battery performance, or device malfunction to cryptocurrency mining infection.
Unhappy subscribers can result in complaints to customer care, replacement of phones and subscriber churn, having real costs and consequences to the mobile operator. The mobile network operator, as well as the subscriber, are both victims.
This is a growing problem. According to Dark Reading, Coinhive is a cryptominer deployed on thousands of websites around the world. In another example, one researcher uncovered a new malvertising campaign targeting Android users that effectively forced phones to mine cryptocurrency for as long as the phone was active on its websites. It estimated 60 million visitors have visited the malicious domains and spent an average of four minutes on the page, equivalent to a few thousand dollars in Monero — and a lot of overloaded Android CPUs.
Unit 42 threat research has identified 470,000 unique malware samples that hijack computers and mobile devices to mine cryptocurrency, with a huge spike in 2018. The popularity of malicious cryptomining activity continues to skyrocket as a direct result of a previous spike in value of such cryptocurrencies as Monero – only time will tell if cryptominers will continue in popularity. It is clear that such activities have been profitable for individuals or groups who have mined cryptocurrency using malicious techniques for a long period of time. As Palo Alto Networks researchers first highlighted, a total of $175 million has been found to be mined historically via the Monero currency, representing roughly 5 percent of all Monero currently in circulation.
Combating the Threat
Malicious cryptocurrency mining on mobile devices has been observed in live service provider trials conducted by Palo Alto Networks. The Palo Alto Networks Security Operating Platform provides application-layer visibility and functions specially designed to enable mobile network operators to quickly identify the malicious C2 activity as well as which subscribers and devices are impacted. With this deep visibility, MNOs can then take corrective action, which might include notification to the infected subscriber, remediation options for customer care, and upsell of a protection service.
Mobile network operators using Palo Alto Networks Security Operating Platform have a number of means to combat this threat on their networks, including WildFire detections for cryptominers delivered via malware and GTP security, which correlates the threat to the impacted subscriber or device. For more information on the mobile network infrastructure capabilities of the Security Operating Platform, download the brief.