April 24, 2014

BadLepricon: Bitcoin gets the mobile malware treatment in Google Play

BadLepricon-Google-play-store

Your phone is running low on battery and it seems to be working harder than usual. Would you ever suspect that it was secretly mining Bitcoin for someone you don’t know?

Lookout found a piece of mobile malware in Google Play that quietly uses your phone’s processing power to create new coins. We call it BadLepricon, and yes, that is how the malware authors spelled “leprechaun.” We hope they were going for a clever play on the word “con.”

The malware comes in the form of a wallpaper app. Google promptly removed five of these applications after we alerted them to the issue. The apps had between 100-500 installs each at the time of removal.

If you’re a Lookout user, don’t worry about doing the work without the pay. You’re protected from this malware.

Mining Bitcoin

We introduced you to another miner last month called CoinKrypt that focused on coins such as Litecoin, Dogecoin, and Casinocoin. The people behind this malware decided to go for these “low-hanging fruit” coins because you can actually mine more coins with less computing power.

But even then it’s not that lucrative. A phone’s computing power doesn’t actually result in that many coins. Every coin has a difficulty rate, which is determined by the amount of computing power needed to mine that coin and other factors. The difficulty for Bitcoin is so tough right now that a recent mining experiment using 600 quadcore servers was only able to generate 0.4 Bitcoins over one year.

That said, the malware author seems confident.

A Pool of Bitcoin Miners

Because of these difficulty levels, miners often don’t work alone. Instead, they work in groups, pooling their processing resources. They collect payment as a percentage of the processing power they contribute.

In order to control the sometimes thousands of bots, the malware author may use a proxy to set up one point of contact. BadLepricon uses a Stratum mining proxy, allowing the author to easily change mining pools or connections to Bitcoin wallets with ease.

It also gives the malware author some anonymity by obfuscating which wallet is being fed the mined Bitcoins.

When Malware has Self-control

These apps did fulfill their advertised purpose in that they provided live wallpaper apps, which vary in theme from anime girls to “epic smoke” to attractive men. However, without alerting you in the terms of service, BadLepricon enters into an infinite loop where — every five seconds — it checks the battery level, connectivity, and whether the phone’s display was on.

It does this almost as a courtesy to your phone. Miners, when left unchecked, can damage a phone by using so much processing power that it burns out the device. In order to avoid this, BadLepricon makes sure that the battery level is running at over 50 percent capacity, the display is turned off, and the phone network connectivity.

If you’re a piece of malware, watching the phone’s battery power is a good way of hiding your activities as well.

CoinKrypt, on the other hand, did not employ the same safety checks and instead severely ran down the battery of our one of our researcher’s phones.

BadLepricon also uses a WakeLock, or a feature that makes sure the phone doesn’t go to sleep even if the display is turned off.

Mobile Mining Comes to the Forefront

Phones truly are tiny computers in your back-pocket or purse. These devices are becoming more and more powerful and people are starting to come up with ways to take advantage of that power. We expect to see more mobile miners come to the foreground.

But we need to remember that mobile mining could be a new business model. Instead of being served advertising, people could use a few processing cycles to mine cryptocurrency instead. We can see a world where that would be tolerated, but in the case of BadLepricon, not alerting the user to your intentions will land you straight in the malware pile.

How to Stay Safe
  • Make sure the Android system setting ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download app installs
  • Download a mobile security app like Lookout’s app that protects against malware as a first line of defense
6 comments
  1. Greg says:

    Thanks for watching out for us. This makes my subscription worth the price

  2. steve says:

    Unfortunately, lookout itself seems to empty my SGS3′s battery after some time of good usage now.
    regularly sucks out more than 10percent over the day. :-(

  3. Alvin Ponder says:

    Lookout is nothing to fear but id a great discovery

  4. Patricia Hale says:

    I received an email today around the hours of 3-4 am to my Comcast email from support@look.com indicating that my request regarding my lost phone was received. Well I did not send lookout support any email messages like that. The email instructed me to reply to it. I moved it to my spam folder. I believe this is a scam. Have you heard this from any other customer?

  5. Meghan Kelly says:

    Hey Steve, sorry to hear that you’re having a problem with the battery! Would you email us? support [at] lookout [dot] com

  6. Meghan Kelly says:

    Hi Patricia, would you send an email to our support team with the email address you use on your Lookout account as well as your device details? support [at] lookout [dot] com

Leave a comment