A Mobile Bitcoin Miner? Really?

Illustration 1: Advises victim to check CPU & battery temperature

Here is the code monitoring the device’s CPU temperature:

public float getCpuTemp() {

        float v4;

        try {           

            Process v2 = Runtime.getRuntime().exec(“cat sys/class/thermal/thermal_zone0/temp”);

            v2.waitFor();

            v4 = Float.parseFloat(new BufferedReader(new InputStreamReader(v2.getInputStream())).readLine()) /

 1000f;

        }

The application makes a lot of effort to seem legitimate:

  1. The website (below) has a professional look (the link to the Play Store is broken though, as the application has been removed from the marketplace).
  2. There is a support email.
  3. There is a Privacy Policy.
  4. There is an option “Personalized advertising GDPR” 😉
  5. You can get “Upgrade Plans” to mine faster (!!) by rating the app or purchasing it. Actually, you get upgraded to the “Demo Premium Plan” even if you do not rate the app 😉

The bitcoins withdrawal feature is also fake. The code is quite explicit: once you request a payment, the app simulates the transaction flow. At the beginning, the transaction will be marked “Pending”. Then 5 days later, it changes its status to “Approved”. Then 5 days later to “In Processing”, and finally to “Sent”.

If (ref.balance_unreal > 0f) {  // if balance is positive

    TextView tv = new TextView(this);

    tv.setTextColor(App.getContext().getResources().getColor(resource));

    long timediff = System.currentTimeMillis() – ref.balance_unrealtime;

    if (timediff < 432000000) {  // 5 days

        tv.setText(i.displayDate(ref.balance_unrealtime) + ”  Pending: ” + i.displayFloat(ref.balance_unreal));

    }   

    else if(timediff < 864000000) {

        tv.setText(i.displayDate(ref.balance_unrealtime) + ”  Approved: ” + i.displayFloat(ref.balance_unreal));  // 10 days

    }   

    else if(timediff < 1296000000) {        

        tv.setText(i.displayDate(ref.balance_unrealtime) + ”  In Processing: ” + i.displayFloat(ref.balance_unreal));  // 15 days

    }   

    else {

        tv.setText(i.displayDate(ref.balance_unrealtime) + ”  Sent: ” + i.displayFloat(ref.balance_unreal) + “nTrans id: ” + g.generateRandomTransactionId() + “..”);  // more than 15 days

            }

    this.llWithdrawals.addView(((View)tv));

    }  

Last but not least, we noticed lots of dummy functions in the code to make analysis more difficult. The following is an example of one of these functions:

public static void dummy() {  // [does nothing except confuse the reversing… ;)]

        inr v1 = 10;
        int v4 = 0;
        int v2 = 356421020;
        int v3 = 0x7601C42E;
        int v0 = 20;
        int v5;
        for(v5 = 0; v5 < v0; ++v5) {
             v1 += -10;
             if(v1 < 0) {
                v1 += 20;
                ++v3;
                ++v2;
             }
            else {
                  v3 = v3;
                  ++v2;
            }
        }
        new SecureRandom().nextFloat();
        for(v0 = 0; v4 < 18; ++v0) {
             v4 += v0;
        }
    }

Conclusion

Whatever happens, remember that any application which claims to “mine Bitcoins” on a smartphone is suspicious.

– the Crypto Girl

Fortinet detects both applications with the following:

  • 5b96c6ef5fcdd632e051c3df2c0c7f4149dceffdc1713bf84bc855de9356119b as Riskware/CoinHive!Android
  • be4f08d244dcb57bfbb507042c221b8a8748e9d292fd881f90316414f03c3242, 0a8e1072a288f23ffa4d7f6978b37bbc979b26ee9d21421c4797818bd1efe93d and b79d13e426498b442995ffd4f6142efe1d28456b92f814338ee7454d9f252ecf as Riskware/FakeMiner!Android 
Fortigate is an enterprise network security appliance that works with
Cloud Bare Metal. Contact us to find out our latest offers!

Comments are closed.