| Researchers April 24, 2014


April 24, 2014

BadLepricon: Bitcoin gets the mobile malware treatment in Google Play

By Lookout

BadLepricon-Google-play-store Your phone is running low on battery and it seems to be working harder than usual. Would you ever suspect that it was secretly mining Bitcoin for someone you don’t know? Lookout found a piece of mobile malware in Google Play that quietly uses your phone’s processing power to create new coins. We call it BadLepricon, and yes, that is how the malware authors spelled “leprechaun.” We hope they were going for a clever play on the word “con.” The malware comes in the form of a wallpaper app. Google promptly removed five of these applications after we alerted them to the issue. The apps had between 100-500 installs each at the time of removal. If you’re a Lookout user, don’t worry about doing the work without the pay. You’re protected from this malware.
Mining Bitcoin
We introduced you to another miner last month called CoinKrypt that focused on coins such as Litecoin, Dogecoin, and Casinocoin. The people behind this malware decided to go for these “low-hanging fruit” coins because you can actually mine more coins with less computing power. But even then it’s not that lucrative. A phone’s computing power doesn’t actually result in that many coins. Every coin has a difficulty rate, which is determined by the amount of computing power needed to mine that coin and other factors. The difficulty for Bitcoin is so tough right now that a recent mining experiment using 600 quadcore servers was only able to generate 0.4 Bitcoins over one year. That said, the malware author seems confident.
A Pool of Bitcoin Miners
Because of these difficulty levels, miners often don’t work alone. Instead, they work in groups, pooling their processing resources. They collect payment as a percentage of the processing power they contribute. In order to control the sometimes thousands of bots, the malware author may use a proxy to set up one point of contact. BadLepricon uses a Stratum mining proxy, allowing the author to easily change mining pools or connections to Bitcoin wallets with ease. It also gives the malware author some anonymity by obfuscating which wallet is being fed the mined Bitcoins.
When Malware has Self-control
These apps did fulfill their advertised purpose in that they provided live wallpaper apps, which vary in theme from anime girls to “epic smoke” to attractive men. However, without alerting you in the terms of service, BadLepricon enters into an infinite loop where -- every five seconds -- it checks the battery level, connectivity, and whether the phone’s display was on. It does this almost as a courtesy to your phone. Miners, when left unchecked, can damage a phone by using so much processing power that it burns out the device. In order to avoid this, BadLepricon makes sure that the battery level is running at over 50 percent capacity, the display is turned off, and the phone network connectivity. If you’re a piece of malware, watching the phone’s battery power is a good way of hiding your activities as well. CoinKrypt, on the other hand, did not employ the same safety checks and instead severely ran down the battery of our one of our researcher’s phones. BadLepricon also uses a WakeLock, or a feature that makes sure the phone doesn’t go to sleep even if the display is turned off.
Mobile Mining Comes to the Forefront
Phones truly are tiny computers in your back-pocket or purse. These devices are becoming more and more powerful and people are starting to come up with ways to take advantage of that power. We expect to see more mobile miners come to the foreground. But we need to remember that mobile mining could be a new business model. Instead of being served advertising, people could use a few processing cycles to mine cryptocurrency instead. We can see a world where that would be tolerated, but in the case of BadLepricon, not alerting the user to your intentions will land you straight in the malware pile.
How to Stay Safe
  • Make sure the Android system setting ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download app installs
  • Download a mobile security app like Lookout’s app that protects against malware as a first line of defense

Author

Lookout

Leave a comment

Submit


4 comments


Patricia Hale says:

May 14, 2014 at 8:02 am

I received an email today around the hours of 3-4 am to my Comcast email from support@look.com indicating that my request regarding my lost phone was received. Well I did not send lookout support any email messages like that. The email instructed me to reply to it. I moved it to my spam folder. I believe this is a scam. Have you heard this from any other customer?


Meghan Kelly says:

June 06, 2014 at 11:24 am

Hi Patricia, would you send an email to our support team with the email address you use on your Lookout account as well as your device details? support [at] lookout [dot] com


Alvin Ponder says:

May 01, 2014 at 9:10 pm

Lookout is nothing to fear but id a great discovery


steve says:

April 27, 2014 at 3:33 am

Unfortunately, lookout itself seems to empty my SGS3's battery after some time of good usage now. regularly sucks out more than 10percent over the day. :-(


Meghan Kelly says:

June 06, 2014 at 10:49 am

Hey Steve, sorry to hear that you're having a problem with the battery! Would you email us? support [at] lookout [dot] com


Greg says:

April 25, 2014 at 5:49 am

Thanks for watching out for us. This makes my subscription worth the price