Cryptojacking - From Theft to Destruction

Yesterday the cryptocurrency market cap saw over a $100 billion dollar loss in 24 hours.  To say there is risk in the market is an understatement

Last month we talked about how the cryptocurrency hype brings with it security risk.  The rush to market with bleeding edge applications means that many mobile cryptocurrency applications and wallets contain vulnerabilities or security risks.

This week we will examine a different kind of cryptocurrency risk.  Cryptojacking.

What is Cryptojacking?

Cryptojacking is the process by which a malicious application or website uses resources of the client computers or mobile devices to mine for cryptocurrency.  Mining is the method of authenticating and legitimizing cryptocurrency transactions and typically require significant resources to compute.  Miners are motivated to mine because of the reward.  Each successful block added to the ledger rewards the miner with a predetermined amount of currency.  Years ago you could successfully mine Bitcoin with a standard desktop PC, today it is typically done by large scale server farms using specialized ASIC hardware geared towards the process of mining.  Ultimately cryptojacking is theft of your computer’s processing power and electricity.

Enter Coinhive

With the massive rise in value of the cryptocurrency market it brings significant interest in being able to capitalize on mining and the growing value of the currency.  There are two major expenses in being a successful crypto miner; cost of hardware and the electricity to run that hardware.  This brings us to CoinHive. Coinhive is a javascript library that can be embedded in any website.  When a user visits a Coinhive enabled website they unsuspectingly download the library and begin to mine for cryptocurrency inside their browser.  This allows for the website operators or the hackers that infect websites to collect the rewards of crypto mining from a massive distributed network of miners - aka their users - without having the burden of expensive hardware or electricity costs to actually perform the mining.

Coinhive enabled sites have been on the rise.  Back in October, 2017 there were estimated to be around 2400 Coinhive websites.  As of the time of writing, there are over 30 000 websites that contain the Coinhive library.  Some of these sites have been hacked such as the to add the Coinhive library to them, others are knowingly deploying the Coinhive library often in place of ads for revenue generation.

Mobile Devices Impact

Mobile Devices are impacted from two different directions.  The first is direct from the browsing to infected websites.  This means that while on a Coinhive infected site your device will be consuming CPU and Battery resources to cryptomine.  The other is cryptojacking malware applications. Researchers from Kaspersky Lab identified an Android trojan called Loapi that so aggressively mines for Bitcoin it actually caused their test device to be physically damaged from the battery bulging out after only a 2 day test. Website enabled cryptojacking is limited to only running when the website is open on the browser and once you navigate away the cryptojacking terminates, however once infected with a trojan running in the background on infected devices users have little to no control over the resource consumption on their device and may have to resort to resetting infected devices back to factory settings to fully remove the trojan.  Re-packaged apps are now also embedding crypto-mining capabilities.  An unsuspecting user will install a re-packaged application thinking it is legitimate and in the background the app will use the device to mine for cryptocurrency.  Researchers have found over 290 Android APKs re-packaged to mine for Monero.

What can you do?

From a website perspective this is largely mitigated by browsing to reputable sites, however it can be difficult to fully avoid as some well known websites and companies such as Starbucks Wifi, Showtime and BlackBerry Mobile have been found to have the Coinhive library (all have since removed Coinhive). If you find your device very sluggish when browsing to a specific site, this could be your culprit. Fortunately the scope is constrained to the browser session and terminates when navigating away.  Use best security practices when loading new applications on your device and avoid granting unnecessary administrative permissions.  Use a mobile security tool such as MI3 RECON to understand the complete security and privacy risk of an application and detect re-packaged apps before deploying.

What to do next

Contact us to see a demonstration of the RECON Platform

Watch an overview of the Mi3 Security Portfolio