Armor for Android, ArmorforAndroid, Armor for Android malware, Armor for Android free, Android malware, James Green

Android Botnet Mines for Cryptocurrencies, Damages Devices

Cryptocurrencies have been abuzz in the media this year. So far the focus has been on Bitcoin, the volatile cryptocurrency once valued at more than $1200 each, but currently worth less than half its previous high. Speculating on the value of Bitcoin has made accidental millionaires and left others eating their own hats, quite literally. But Bitcoin isn't the only cryptocurrency game around and cyber criminals are always quick to exploit new illicit income opportunities.

In late March, security firm TrendMicro uncovered malware capable of hijacking Android devices to mine lesser-known cryptocurrencies: Litecoin, Dogecoin and Casinocoin. Dubbed CryptoMiner by Armor for Android (Kagecoin by TrendMicro, CoinKrypto by Lookout, and MalMiner by Symantec), these threats have been discovered on third party Android markets and forums. However, some CryptoMiner Trojans have also been found on Google Play where it appears one million to five million downloads occurred.


CryptoMiner Trojans wait for the Android device to connect to the internet and then contact a remote server where a config file is downloaded. The config file directs the malware to one of several mining pools where numerous devices pool together their collective processing power to mine for cryptocurrency. The Android botnet created by the CryptoMiner Trojans is likely used to assist in established cryptocurrency mining operations created by the malware author.

So why mine secondary cryptocurrencies like Litecoin, Dogecoin, or Casinocoin, when Bitcoin is obviously more popular and considerably more valuable? Why not mine Bitcoin? The answer is degree of difficulty. The Bitcoin mining landscape is so oversaturated that it requires specially designed hardware worth thousands of dollars to mine at a moderate rate. Using a Google Nexus 5 to it would take approximately 296 years to mine a single Bitcoin.

Instead of mining for the diamond of digital currencies, the CryptoMiner authors exploit the computing power of their mobile botnet to mine for the silver and bronze cryptocurrencies. But even these less popular cryptocurrencies require more computing power than is available on Android devices, hence why they pool processing power.


CryptoMiner Trojans are significantly more dangerous than legitimate cryptocurrency mining applications. There are numerous legitimate mining applications on Google Play and other application markets that use excess processing power to mine for cryptocurrencies, but these applications include safeguards to prevent overloading the processor and damaging the device. The CryptoMiner malware authors are only interested in maximizing the processing power of their mining operations and have no concern for the well being of infected device.

Unlike legitimate cryptocurrency mining applications, CryptoMiner Trojans push device processors to their limits. Infected devices will exhibit the following symptoms when CryptoMining Trojans are present:

  • Poor battery life
  • Overheating batteries
  • Difficult to charge batteries
  • Unusually high data usage

CryptoMiner is an unusual type of Android threat. Normally Android malware is designed to steal money or information from infected devices but CryptoMiner software steals the device processing power. The main risk of this malware is it can cause irreparable damage by overloading a device. It may not actively steal tangible items of value from the victim but it is still a dangerous Android threat.


Keeping Your Android Safe

Always review applications before downloading them and remember: just because an application is on Google Play doesn't mean that it's safe. Never download cracked applications that are normally paid but being offered for free by an unofficial developer. And keep these three important tips in mind to keep you Android device safe!

  • Install and use an Android antivirus application to detect and prevent a malware infection.
  • Always stay up to date with application, operating system, and antivirus updates. Updates often include patches to newly discovered security vulnerabilities and keep the device protected against the latest threats.
  • Read user reviews and research applications before installing. Review application developers' websites and social media accounts to establish if the developer is trustworthy.♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Twitter:@James_AfA

Share This Story