Here’s a comforting thought: When you download an app to your phone, unless you’re able to get inside the program’s code and pull it apart line by line, you really have to take it on faith that the program is really only doing what the company behind it advertised.
Take, for example, a collection of five apps hosted on the Google Play store that turned the wallpaper of your smartphone into pictures of things like sexy shirtless dudes, sexy anime girls, or decidedly less sexy animations of multi-colored smoke. While these apps did what they were supposed to do, they also accomplished something else—secretly diverting the computing power of the phones on which they were installed for the purposes of mining Bitcoins on behalf of the apps’ developers.
(Screenshot courtesy of Lookout Mobile Security)
The malware was discovered by researchers at mobile security firm Lookout, who dubbed it BadLepricon. After Lookout informed Google of the issue, the apps were swiftly removed from the compnay's marketplace—although all of them had already been downloaded hundreds of times.
New Bitcoins are created through a process called mining, which basically comprises entering into a guessing game where every computer connected to the global Bitcoin network running a certain piece of software attempts to solve a series of incredibly complex math problems. Every 10 minutes, one computer on the network wins a round of the game and receives a batch of freshly minted bitcoins. This mechanism is responsible for keeping the entire Bitcoin system up and functioning.
Since each round of the game has only one winner and a miner’s odds of winning are directly proportional to the total amount of computing power he or she points at the problem, the system has created an arms race where miners are constantly upgrading their hardware in an endless attempt to best the competition.
However, it’s also possible for groups of computers to work together as a single unit, combining resources to increase the overall chance at victory. When people voluntarily join together for mining, the operation is called a mining pool. When that participation is involuntary, conducted by software secretly installed on people’s machines, it’s called a botnet. Although, it is possible for the operators of a botnet to point their illicitly obtained computing resources into a mining pool.
According a blog post on Lookout’s website detailing BadLepricon, the creators of this particular botnet went to great lengths to avoid being detected. ‟Without alerting you in the terms of service, BadLepricon enters into an infinite loop where—every five seconds—it checks the battery level, connectivity, and whether the phone’s display was on,” Lookout's Meghan Kelly explained. ‟It does this almost as a courtesy to your phone. Miners, when left unchecked, can damage a phone by using so much processing power that it burns out the device. In order to avoid this, BadLepricon makes sure that the battery level is running at over 50 percent capacity, the display is turned off, and the phone network connectivity.”
BadLepricon isn’t the first instance of Bitcoin mining malware being inserted into what otherwise appeared to be a reputable program.
A few weeks ago, a pair of apps boasting millions of downloads were removed from the Google Play store for serving as a vehicle to a similar botnet that mined Bitcoin derivatives like Litecoin and Dogecoin, which are considerably less difficult to mine.
Last year, it was revealed that New York-based E-Sports Entertainment Association had covertly turned some 14,000 of its users into unwitting cryptocurrency miners. After being outed, the company initially claimed the whole thing was an April Fool’s joke, but eventually was forced by a New Jersey court to pay a $325,000 fine and be subjected to a decade of probation.
Lookout noted that, if the people behind BadLepricon had been upfront about their intentions, and cut users in on the proceeds, their plan to turn smartphones into a decentralized mining network might actually be a solid business model:
Instead of being served advertising, people could use a few processing cycles to mine cryptocurrency instead. We can see a world where that would be tolerated, but in the case of BadLepricon, not alerting the user to your intentions will land you straight in the malware pile.
Photo by Reeda/Wikimedia Commons