VirusAndroid/HiddenMiner.A!tr
Analysis
Android/HiddenMiner.A!tr is a malware which targets Android mobile devices. It poses as an update to the Play Store, but silently mines Monero (XMR) in the background, with all benefits going to the malware authors.
The malware comes packaged as com.android.sesupdate. Its main activity is com.android.sesupdate.MainActivity. When launched, the malware activates an anti-emulator check. The verification is quite advanced and relies on several system information (system properties, presence of given files, IP address, IMSI, phone number, specific drivers etc) to determine if the process is running on an emulator or not. It detects Google's emulator but also Genymotion, Nox and Andy.
If run on an emulator, the malware quits - to harden analysis.
If the malware is running on a real device, it activates itself and requests Device Administrator rights. If not granted the rights at first, it will repeatedly ask for it later on.
Then, the malware starts mining Monero using a native miner and a well known mining pool. The benefits are redirected to the malware's public wallet address
49Bq2bFsvJFAe11SgAZQZjZRn6rE2CXHz4tkoomgx4pZhkJVSUmUHT4ixRWdGX8z2cgJeftiyTEK1U1DW7mEZS8E4dF5hkn.The malware also supports mining tracking at hxxp://debujxe.com/click.php?cnv_id= (no longer active).
The malware installs the following files on the device:
- ./assets/crashlytics-build.properties
- ./classes.dex
- ./resources.arsc
- ./fabric/com.crashlytics.sdk.android.crashlytics.properties
- ./fabric/com.crashlytics.sdk.android.crashlytics-core.properties
- ./fabric/com.crashlytics.sdk.android.answers.properties
- ./fabric/com.crashlytics.sdk.android.beta.properties
- ./fabric/io.fabric.sdk.android.fabric.properties
- ./AndroidManifest.xml
- ./META-INF/CERT.RSA
- ./META-INF/MANIFEST.MF
- ./META-INF/CERT.SF
- ./lib/armeabi/libcpuminer.so
- ./lib/armeabi/libcurl.so
- ./lib/armeabi/libgmp.so
- ./lib/armeabi-v7a/libcpuminer.so
- ./lib/armeabi-v7a/libgmp.so
- ./lib/armeabi-v7a/libcurl.so
- ./res/layout/activity_main.xml
- ./res/xml/device_admin.xml
- ./res/drawable/playstore.png
- ./res/drawable/ic_launcher_empty.png
Recommended Action
Enable anti-virus protection.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| Extreme | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |