Android apps booby-trapped to mine virtual cash
Android apps that have been downloaded millions of times have been subverted to mine virtual coins for cyberthieves, say security firms.
Two firms have found apps inside and outside the Google Play store seeded with the hidden mining code.
The programs have been mining coins for the Dogecoin, Litecoin and Casinocoin virtual currencies.
If installed, the booby-trapped apps will run down a phone's battery very quickly, said researchers.
Some of the apps harbouring the mining code were found on non-official Android stores but two of the programs, called Songs and Prized, are still available on the Google Play store. Songs has been downloaded at least one million times.
Lookout said it had seen the apps in stores popular in Spain and France.
Thieves are keen to steal computer power because virtual currencies such as Bitcoin, Dogecoin and others rely on large networks of connected machines. All those computers verify who is spending what and fresh coins are handed out for being involved - a process known as mining.
The more computer power someone can amass, the more mining they can do and, potentially, the more coins they can acquire.
However, using phones to do the mining was "odd", said Trend Micro researcher Veo Zhang in a blogpost detailing the apps seeded with the crypto coin code.
"Phones do not have sufficient performance to serve as effective miners," he said.
Lookout security researcher Marc Rogers said the simplistic nature of the code made it potentially dangerous as it made no attempt to manage how much processing power it used. Instead, he said, it just grabbed as much as it can.
"It will drive the hardware to mine until it runs out of battery," he said. "Overheating associated with this kind of harsh use can also damage hardware."
Those behind the coin code might have made efforts to hide the fact that phones were mining but users were still likely to notice, said Mr Zhang.
"Slow charging and excessively hot phones will all be seen, making the miner's presence not particularly stealthy," he wrote. "Yes, they can gain money this way, but at a glacial pace."
Despite this, he said, one of the groups producing the malicious apps had managed to amass thousands of Dogecoins which they then swapped for Bitcoins. One Bitcoin is currently worth £337.
Mr Rogers from Lookout said users might notice as mining involves swapping lots of data back and forth - which could quickly eat up a monthly data allowance.
Mr Zhang said Trend Micro had told Google's Android security team about its findings. Google has yet to comment on the discovery of the mining apps.