Here’s a comforting thought: When you download an app to your phone, unless you’re able to get inside the program’s code and pull it apart line by line, you really have to take it on faith that the program is really only doing what the company behind it advertised.
Take, for example, a collection of five apps hosted on the Google Play store that turned the wallpaper of your smartphone into pictures of things like sexy shirtless dudes, sexy anime girls, or decidedly less sexy animations of multi-colored smoke. While these apps did what they were supposed to do, they also accomplished something else—secretly diverting the computing power of the phones on which they were installed for the purposes of mining Bitcoins on behalf of the apps’ developers.
(Screenshot courtesy of Lookout Mobile Security)
The malware was discovered by researchers at mobile security firm Lookout, who dubbed it BadLepricon. After Lookout informed Google of the issue, the apps were swiftly removed from the compnay's marketplace—although all of them had already been downloaded hundreds of times.
New Bitcoins are created through a process called mining, which basically comprises entering into a guessing game where every computer connected to the global Bitcoin network running a certain piece of software attempts to solve a series of incredibly complex math problems. Every 10 minutes, one computer on the network wins a round of the game and receives a batch of freshly minted bitcoins. This mechanism is responsible for keeping the entire Bitcoin system up and functioning.
Since each round of the game has only one winner and a miner’s odds of winning are directly proportional to the total amount of computing power he or she points at the problem, the system has created an arms race where miners are constantly upgrading their hardware in an endless attempt to best the competition.
However, it’s also possible for groups of computers to work together as a single unit, combining resources to increase the overall chance at victory. When people voluntarily join together for mining, the operation is called a mining pool. When that participation is involuntary, conducted by software secretly installed on people’s machines, it’s called a botnet. Although, it is possible for the operators of a botnet to point their illicitly obtained computing resources into a mining pool.
According a blog post on Lookout’s website detailing BadLepricon, the creators of this particular botnet went to great lengths to avoid being detected. ‟Without alerting you in the terms of service, BadLepricon enters into an infinite loop where—every five seconds—it checks the battery level, connectivity, and whether the phone’s display was on,” Lookout's Meghan Kelly explained. ‟It does this almost as a courtesy to your phone. Miners, when left unchecked, can damage a phone by using so much processing power that it burns out the device. In order to avoid this, BadLepricon makes sure that the battery level is running at over 50 percent capacity, the display is turned off, and the phone network connectivity.”
BadLepricon isn’t the first instance of Bitcoin mining malware being inserted into what otherwise appeared to be a reputable program.
A few weeks ago, a pair of apps boasting millions of downloads were removed from the Google Play store for serving as a vehicle to a similar botnet that mined Bitcoin derivatives like Litecoin and Dogecoin, which are considerably less difficult to mine.
Last year, it was revealed that New York-based E-Sports Entertainment Association had covertly turned some 14,000 of its users into unwitting cryptocurrency miners. After being outed, the company initially claimed the whole thing was an April Fool’s joke, but eventually was forced by a New Jersey court to pay a $325,000 fine and be subjected to a decade of probation.
Lookout noted that, if the people behind BadLepricon had been upfront about their intentions, and cut users in on the proceeds, their plan to turn smartphones into a decentralized mining network might actually be a solid business model:
Instead of being served advertising, people could use a few processing cycles to mine cryptocurrency instead. We can see a world where that would be tolerated, but in the case of BadLepricon, not alerting the user to your intentions will land you straight in the malware pile.
Photo by Reeda/Wikimedia Commons
Judge brings burglary suspect to tears after revealing a surprise about his past
This will give you the feels.4.4k
Why the first U.S. measles death in 12 years is such a big deal
It’s not just because it’s the first one in 12 years.3.6k
xPeke plans to retire after Worlds
One of the most iconic names in esports plans to hang up his mouse and keyboard in just a couple of months.3.4k
Is Reddit's relocation policy to blame for dismissals?
Reddit's expanding alumni page may not be the only sea change in store.
The 3 biggest questions heading into the ESL ESEA final
The first edition of the ESL ESEA Pro League is coming to a head this weekend with $250,000 on the line.29