The Devil is in the Details: Unwrapping the Cryptojacking Malware Ecosystem on Android

Adjibi, Boladji Vinny; Mbodji, Fatou Ndiaye; Allix, Kevin; Klein, Jacques; Bissyande, Tegawendé François D Assise

doi:10.1109/SCAM55253.2022.00023

Download

Paper published in a journal (Scientific congresses, symposiums and conference proceedings)

The Devil is in the Details: Unwrapping the Cryptojacking Malware Ecosystem on Android

Adjibi, Boladji Vinny; Mbodji, Fatou Ndiaye; Allix, Kevin et al.

2022 • In 2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM), p. 153-163

Peer reviewed

Permalink
https://hdl.handle.net/10993/54308

DOI
10.1109/SCAM55253.2022.00023

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

Cryptojacking.pdf

Author postprint (504.69 kB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

android; cryptojacking; malware; manual analysis; google play store

Abstract :

[en] This paper investigates the various technical and non-technical tools and techniques that software developers use to build and disseminate crypto mining apps on Android devices. Our study of 346 potential Android mining apps, collected between April 2019 and May 2022, has revealed the presence of more than ten mining apps on the Google Play Store, with at least half of those still available at the time of writing this (June 2022). We observed that many of those mining apps do not conceal their usage of the device’s resource for mining which is considered a violation of the store’s policies for developers. We estimate that more than ten thousand users have run mining apps downloaded directly from the Google Play Store, which puts the supposedly ”stringent” vetting process into question. Furthermore, we prove that covert mining apps tend to be embedded into supposedly free versions of premium apps or pose as utility apps that provide valuable features to users. Finally, we empirically demonstrate that cryptojacking apps’ resource consumption and malicious behavior could be insignificant. We presume that typical users, even though they might be running a mobile antivirus solution, could execute a mining app for an extended period without being alerted. We expect our results to inform the various actors involved in the security of Android devices against the lingering threat of cryptojacking and help them better assess the problem.

Disciplines :

Computer science

Author, co-author :

Adjibi, Boladji Vinny; Georgia Institute of Technology

Mbodji, Fatou Ndiaye ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Allix, Kevin

Klein, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Bissyande, Tegawendé François D Assise ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

External co-authors :

yes

Language :

English

Title :

The Devil is in the Details: Unwrapping the Cryptojacking Malware Ecosystem on Android

Publication date :

October 2022

Event name :

2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)

Event place :

Limassol, Cyprus

Event date :

from 3-10-2022 to 4-10-2022

Audience :

International

Journal title :

2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)

Publisher :

IEEE

Pages :

153-163

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

Additional URL :

https://ieeexplore.ieee.org/abstract/document/10006806

Available on ORBilu :

since 31 January 2023

Statistics

Number of views

75 (11 by Unilu)

Number of downloads

102 (7 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

WoS citations^™

Bibliography

N. Tovanich, N. Soulie, N. Heulot, and P. Isenberg, "The evolution of mining pools and miners? behaviors in the Bitcoin blockchain, " IEEE Trans. Netw. Service Manage., vol. 19, no. 3, pp. 1-12, Mar. 2022, early access.
Google, "Google keynote (Google I/O ?21)-American sign language, " May 2021, accessed June 2022. [Online]. Available: https://www.youtube.com/watch?v=Mlk888FiI8A
Google, "Google keynote (Google I/O ?22), " May 2022, accessed June 2022. [Online]. Available: https://www.youtube.com/watch?v= nP-nMZpLM1A
S. Dashevskyi, Y. Zhauniarovich, O. Gadyatskaya, A. Pilgun, and H. Ouhssain, "Dissecting Android cryptocurrency miners, " in Proc. 10th ACM Conf. Data Appl. Secur. Privacy, ser. CODASPY ?20, SIGSAC. New York, NY, USA: Association for Computing Machinery, Mar. 2020, pp. 191-202.
Z. Li, W. Liu, H. Chen, X. Wang, X. Liao, L. Xing, M. Zha, H. Jin, and D. Zou, "Robbery on DevOps: Understanding and mitigating illicit cryptomining on continuous integration service platforms, " in IEEE Symp. Secur. Privacy, ser. SP ?22. Los Alamitos, CA, USA: IEEE Computer Society, May 2022, pp. 363-378.
Google, "Financial services: Play console help, " 2022, accessed June 2022. [Online]. Available: https://support.google.com/googleplay/android-developer/answer/9876821?hl=en
BBC News, "Google bans crypto-mining apps from Play Store, " Jul. 2018, accessed in June 2022. [Online]. Available: https://www.bbc.com/news/technology-44980936
S. Varlioglu, B. Gonen, M. Ozer, and M. Bastug, "Is cryptojacking dead after coinhive shutdown?" in 3rd Int. Conf. Inf.comput. Techn., ser. ICICT ?20, San Jose, CA, USA, Mar. 2020, pp. 385-389.
F. Tommasi, C. Catalano, U. Corvaglia, and I. Taurino, "MinerAlert: An hybrid approach for web mining detection, " J.comput. Virol. Hack. Techn., pp. 1-14, Mar. 2022.
F. Naseem, A. Aris, L. Babun, E. Tekiner, and A. S. Uluagac, "MINOS: A lightweight real-Time cryptojacking detection system, " in Netw. Distrib. Syst. Secur. Symp., ser. NDSS ?21, no. 28. Virtual: Internet Society, Feb. 2021, pp. 244-259.
M. Caprolu, S. Raponi, G. Oligeri, and R. Di Pietro, "Cryptomining makes noise: Detecting cryptojacking via machine learning, " Comput.commun., vol. 171, pp. 126-139, Feb. 2021.
S. Varlioglu, N. Elsayed, Z. ElSayed, and M. Ozer, "The dangerous combo: Fileless malware and cryptojacking, " in SoutheastCon 2022. IEEE, Mar. 2022, pp. 125-132.
H. Badih and Y. Alagrash, "Crypto-jacking threat detection based on blockchain framework and deception techniques, " Amer. J. Sci. Eng., vol. 2, no. 1, pp. 1-10, Jul. 2021.
N. Lachtar, A. A. Elkhail, A. Bacha, and H. Malik, "An application agnostic defense against the dark arts of cryptojacking, " in 51st Annu. Int. Conf. Dependable Syst. Netw., ser. DSN ?21, IEEE/IFIP. Taipei, Taiwan: IEEE, Jun. 2021, pp. 314-325.
J. Clay, A. Hargrave, and R. Sridhar, "A power analysis of cryptocurrency mining: A mobile device perspective, " in 16th Annu. Conf. Privacy, Secur. Trust, ser. PST ?18. Belfast, Ireland: IEEE, Aug. 2018, pp. 1-5.
P. Kotzias, J. Caballero, and L. Bilge, "How did that get in my phone? unwanted app distribution on Android devices, " in IEEE Symp. Secur. Privacy, ser. SP ?21. San Francisco, CA, USA: IEEE, May 2021, pp. 53-69.
A. Kharraz, Z. Ma, P. Murley, C. Lever, J. Mason, A. Miller, N. Borisov, M. Antonakakis, and M. Bailey, "Outguard: Detecting in-browser covert cryptocurrency mining in the wild, " in World Wide Web Conf., ser. WWW ?19. New York, NY, USA: Association for Computing Machinery, 2019, pp. 840-852.
M. Russo, N. Srndic, and P. Laskov, "Detection of illicit cryptomining using network metadata, " EURASIP J. Inf. Secur., vol. 1, no. 11, pp. 1-20, Dec. 2021.
M. Cao, K. Ahmed, and J. Rubin, "Rotten apples spoil the bunch: An anatomy of Google Play malware, " in Proc. 44th Int. Conf. Softw. Eng., ser. ICSE ?22. New York, NY, USA: Association for Computing Machinery, May 2022, pp. 1919-1931.
Y. Zhou and X. Jiang, "Dissecting Android malware: Characterization and evolution, " in Symp. Secur. Privacy, ser. SP ?12. San Francisco, CA, USA: IEEE, May 2012, pp. 95-109.
H. Wang, J. Si, H. Li, and Y. Guo, "RmvDroid: Towards a reliable Android malware dataset with app metadata, " in IEEE/ACM 16th Int. Conf. Mining Softw. Repositories, ser. MSR ?19. Montreal, QC, Canada: IEEE, May 2019, pp. 404-408.
D. Arp, Michael, Spreitzenbarth, M. Huebner, and H. G. K. Rieck, "DREBIN: effective and explainable detection of Android malware in your pocket, " in 21th Annu. Netw. Distrib. Syst. Secur. Symp., ser. NDSS ?14, San Diego, Carlifornia, USA, Feb. 2014. [Online]. Available: https://www.ndss-symposium.org/wp-content/uploads/2017/09/11 3 1.pdf
K. Allix, T. F. Bissyande, J. Klein, and Y. Le Traon, "AndroZoo: Collecting millions of Android apps for the research community, " in Proc. 13th Int. Conf. Mining Softw. Repositories, ser. MSR ?16. New York, NY, USA: Association for Computing Machinery, 2016, pp. 468-471.
L. Li, D. Li, T. F. Bissyande, J. Klein, Y. Le Traon, D. Lo, and L. Cavallaro, "Understanding Android app piggybacking: A systematic study of malicious code grafting, " IEEE Trans. Inf. Forensics Secur., vol. 12, no. 6, pp. 1269-1284, Jan. 2017.
K. Khanmohammadi, N. Ebrahimi, A. Hamou-Lhadj, and R. Khoury, "Empirical study of android repackaged applications, " Empirical Softw. Eng., vol. 24, no. 6, pp. 3587-3629, Dec. 2019.
M. A. Harris, R. Brookshire, and A. G. Chin, "Identifying factors influencing consumers? intent to install mobile applications, " Int. J. Inf. Manage., vol. 36, no. 3, pp. 441-450, Jun. 2016.
S. Pastrana and G. Suarez-Tangil, "A first look at the crypto-mining malware ecosystem: A decade of unrestricted wealth, " in Proc. Internet Meas. Conf., ser. IMC ?19. New York, NY, USA: Association for Computing Machinery, Oct. 2019, pp. 73-86.
A. Saif, H. AL-KILANI, M. Qasaimeh, and A. Al-Refai, "Analysis of Android applications permissions, " in Int. Conf. Data Sci., E-Learn. Inf. Syst., ser. DATA ?21. New York, NY, USA: Association for Computing Machinery, Jun. 2021, pp. 243-249.
A. Alshehri, P. Marcinek, A. Alzahrani, H. Alshahrani, and H. Fu, "Puredroid: Permission usage and risk estimation for android applications, " in Proc. 3rd Int. Conf. Inf. Syst. Data Mining, ser. ICISDM ?19. Houston, TX, USA: Association for Computing Machinery, Apr. 2019, pp. 179-184.
E. Tekiner, A. Acar, A. S. Uluagac, E. Kirda, and A. A. Selcuk, "SoK: Cryptojacking malware, " in Eur. Symp. Secur. Privacy, ser. EuroS P ?21. Vienna, Austria: IEEE, Sep. 2021, pp. 120-139.
Meta Platforms, Inc., "Facebook-Apps on Google Play, " Aug. 2022, accessed on 2nd August 2022. [Online]. Available: https://play.google.com/store/apps/details?id=com.facebook.katana
H. Liu, P. Patras, and D. J. Leith, "Android mobile OS snooping by Samsung, Xiaomi, Huawei and Realme handsets, " techreport, Oct. 2021. [Online]. Available: https://www.scss.tcd.ie/doug.leith/Android privacy report.pdf
S. Frier, "Samsung phone users perturbed to find they can?t delete Facebook, " Jan. 2019, accessed on 2nd August 2022. [Online]. Available: https://www.bloomberg.com/news/articles/2019-01-08/samsung-phone-users-get-A-shock-They-can-T-delete-facebook# xj4y7vzkg
E. Tekiner, A. Acar, and A. S. Uluagac, "A lightweight IoT cryptojacking detection mechanism in heterogeneous smart home networks, " in Netw. Distrib. Syst. Secur. Symp., ser. NDSS ?22, no. 29. San Diego, CA, USA: Internet Society, Apr. 2022, pp. 208-223.
A. Mylonas, A. Kastania, and D. Gritzalis, "Delegate the smartphone user? security awareness in smartphone platforms, " Comput, Secur., vol. 34, pp. 47-66, May 2013.