Cybercriminals are increasingly hijacking other people’s devices to mine Monero (XMR), in a trend now called cryptojakcing. According to Malwarebytes, a “drive-by” mining campaign recently redirected millions of Android users to a website that hijacked their devices to mine the privacy-centric cryptocurrency using Coinhive .

The campaign redirected users to a page that informed them their device was “showing suspicious surfing behavior.” As a result, users had to verify they were human by solving a CAPTCHA, while the campaign used their devices to mine Monero to cover server costs caused by bot traffic.

All users had to do was solve the CAPTCHA and click a “continue” button. Once users solved the CAPTCHA, the campaign redirected them to Google’s home page, which researchers noted was an odd choice. Malwarebytes details that it first spotted the “drive-by” campaign last month, but that it could’ve been around since November 2017. The exact trigger that captured users isn’t clear, but researchers believes infected apps with malicious ads did the trick.

Their post reads:

“While Android users may be redirected from regular browsing, we believe that infected apps containing ad modules are loading similar chains leading to this cryptomining page. This is unfortunately common in the Android ecosystem, especially with so-called “free” apps.”

Malwarebytes researchers weren’t able to identify all the domains users were being redirected to. They managed to identify five domains, and concluded that these received about 800,000 visits per day, with an average of four minutes spent mining, per user.

To find out the number of hashes being produced, researchers note, a conservative rate of 10h/s was used. This low hash rate, coupled with the four minute average spent on time, means the hackers behind it could only be making “a few thousand dollars” per month.

The Cryptojacking Trend

Notably, researchers discovered the drive-by campaign while studying a separate malware dubbed EITest. They were testing various chains that often led to tech support scams on Windows, but soon found that things were different when using Android.

The ongoing cryptojacking trend seemingly began when torrent-index website the Pirate Bay started using it as a potential alternative to ads. Since then, bad actors took advantage of the code Coinhive provides to mine Monero, and used it on Google Chrome extensions, UFC’s website, and even Starbucks’ Wi-Fi.

PC users can block cryptocurrency mining scripts by using anti-malware programs and browsing the web with browsers that have built-in tools like Opera and Brave. Android users should stick to Google’s Play Store and use security software.

Featured image from Shutterstock.

AUTHOR

Francisco Memoria