• Dubbed as “UFO Miner”, the app has no user interface and relies on Android Webview to download malicious payloads
  • A small part of automated attacks targeted at Android devices contained this miner malware.

A malicious cryptomining app which is seen to target Android-based devices has been discovered recently. Known as “UFO Miner”, this app lacked a user interface and banked on Chrome’s Android Webview to download malicious payloads which corrupt the hardware of the device.

Andrew Brandt, Principal Researcher at Sophos spotted this app when he was analyzing samples of automated attacks directed towards Android devices.

Worth noting

  • A honeypot was used to capture automated attacks made on Android.
  • These attacks came from IP addresses that mainly originated in Hong Kong, South Korea, Taiwan, Russia, Iran, and the US.
  • UFO Miner attacks were relatively few compared to other app-based attacks that were hundreds of thousands in number.
  • The app once installed into the device, loaded a JavaScript file from Coinhive on a Web page in the app.
  • Linux shell scripts downloaded from the app ran a profile on the processor architecture and then downloaded mining bots on the device.

How much impact does it have - Even though UFO Miner attacks are relatively few in number so far, Brandt suggests that it might soon pick up with more rogue IoT botnets.

“UFO Miner is just one of a number of malicious apps that have been picked up by the honeypot, but it has (so far) been the most prolific. It seems that botherder gangs that operate IoT botnets (like Mirai) have slowly been joining the ADB bandwagon,” the researcher wrote.

How can you protect yourself from it?

Unlike other malicious apps, UFO Miner does not present much hassle for uninstallation. It can be located in the Apps section of Settings under the name “Test”. Using Force Stop and then uninstalling the app would remove the miner app completely from the device.

The other method involves performing a factory reset of the device.

Cyware Publisher