Cryptocurrency mining code is becoming increasingly pesky for mobile users, according to a number of security firms. It’s often hidden inside malicious apps that suck up a smartphone’s computing power to work out difficult mathematical problems, the solutions to which unlock fresh coins.
Yet a recent case has proven it’s not always easy to tell whether those adding mining functionality to apps are doing so to screw users over.
Researchers from Lookout Mobile Security looked into a software development kit that let software creators replace the Android lock screen with a customised version of their choosing. The Widdit SDK was seen using mining code and an app Lookout believes was used to test the functionality.
Widdit was using Litecoin mining code from open source project LTCMiner. It was likely it didn’t bother with the considerably more popular Bitcoin, which is much harder to mine.
Lookout became concerned when it noticed developers using the Widdit SDK would not have been alerted to the mining code sitting inside their apps, especially as it was possible the secret feature was uploaded after apps were placed on online marketplaces.
“The later version of the SDK downloaded the mining code dynamically along with additional code at runtime,” a blog post from the company read.
“This has legitimate benefits, of course. It means developers using the SDK do not have to update their apps every time the Widdit SDK is updated. It also means most developers have no idea that Litecoin mining code is included with the SDK. It was not communicated anywhere on the Widdit website or in any terms of service.
“This could also be tactic to get around Google’s security scanner Bouncer in that the actual ‘bad’ code doesn’t exist until after it has gone through the scanning process.”
When Widdit was approached by Lookout, it said it was testing out distributed computing over Android and was in the process of cleaning up its apps, according to the security firm. It initially forgot to clean up the lockscreen SDK that contained the mining code.
Lookout, whilst it was concerned about Widdit not alerting users to the added functionality in its SDK, noted mining might actually be a decent alternative for free apps to serving ads.
“Like advertising, mining is another opportunity, albeit an inefficient one, to make money on mobile. There’s a chance that some companies might want to replace their advertising revenue with mining, which can be less intrusive if done right,” Lookout added.
“It’s a trade-off: instead of seeing banner ads and having your information collected, you might hand over some of your battery and computing power.”
“Though, we have and will flag miners in the future, we believe that in order to be a legitimate miner, you need to blatantly alert the user to your intentions – a sentiment we shared with Widdit.”
I wouldn’t expect many to shift to mining over advertising though. There’s much more money in the former, especially when considering it gets harder to mine currencies as more are unlocked. And security companies like Lookout are busy blocking mining features too, making it even less worthwhile.
It’s likely mining will remain an activity of malicious types, rather than legitimate devs.