According to security researchers, millions of Android device users could have been hijacked in a drive by a cryptocurrency mining campaign. As per the security researchers, over the past few months, the hackers have been clandestinely mining Monero coins on the hijacked smartphones without the knowledge of the users.
According to Malwarebytes, the campaign could have started in November last year but was first observed in January. According to the report, millions of Android smartphone users have been redirected to a page specifically designed to perform in-browser mining of cryptocurrency. Although the method is claimed to be automated and without the user consent, the visitors are generally presented with a Captcha to solve and prove that they are humans and not robots.
The warning message reads “Your device is showing suspicious behavior. Please prove that you are human by solving the captcha. Until you verify yourself as human, your browser will mine the Cryptocurrency Monero for us in order to recover the server costs incurred by bot traffic.” This means that until the user enters the code, the smartphone or tablet will be mining Monero and exerting a load on the device processor.
Surprisingly, once you entering the code, the users are redirected to the Google homepage. The code is static and coded into the page source making the process appear malicious. According to Malwarebytes, the victims may face the forced redirection issue during regular browsing sessions or via infected apps that contain malicious ads. The lead malware intelligence analyst at Malwarebytes commented about the possibility of the campaign chasing the low-quality traffic and not necessarily the bots, this is more effective while compared to just serving ads to the low-quality traffic and helps the website owner generate revenue using a browser-based Monero miner.
In the recent research, Malwarebytes found five domains using the same captcha and Coin hive site keys being used for the mining campaign. Based on the analysis, at least two of the five websites had more than 30 million visits every month and all the domains together receive about 800,000 visitors per day.
It is highly recommended to have Web filtering or Security applications on your smartphones as forced crypto mining is now affecting the phones and tablets on a large scale. This is not only seen via infected apps but also via redirections and pop-under that are generally left unnoticed.