research-article

Dissecting Android Cryptocurrency Miners

Authors:

Stanislav Dashevskyi,

Yury Zhauniarovich,

Olga Gadyatskaya,

Aleksandr Pilgun,

Hamza OuhssainAuthors Info & Claims

CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy

Pages 191 - 202

https://doi.org/10.1145/3374664.3375724

Published: 16 March 2020 Publication History

Abstract

Cryptojacking applications pose a serious threat to mobile devices. Due to the extensive computations, they deplete the battery fast and can even damage the device. In this work we make a step towards combating this threat. We collected and manually verified a large dataset of Android mining apps. In this paper, we analyze the gathered miners and identify how they work, what are the most popular libraries and APIs used to facilitate their development, and what static features are typical for this class of applications. Further, we analyzed our dataset using VirusTotal. The majority of our samples is considered malicious by at least one VirusTotal scanner, but 16 apps are not detected by any engine; and at least 5 apks were not seen previously by the service. Mining code could be obfuscated or fetched at runtime, and there are many confusing miner-related apps that actually do not mine. Thus, static features alone are not sufficient for miner detection. We have collected a feature set of dynamic metrics both for miners and unrelated benign apps, and built a machine learning-based tool for dynamic detection. Our BrenntDroid tool is able to detect miners with 95% of accuracy on our dataset.

References

[1]

Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, and Konrad Rieck. 2014. DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In Proceedings of the Network and Distributed System Security Symposium . 23--26.

[2]

Gerardo Canfora, Eric Medvet, Francesco Mercaldo, and Corrado Aaron Visaggio. 2016. Acquiring and Analyzing App Metrics for Effective Mobile Malware Detection. In Proceedings of the ACM International Workshop on Security And Privacy Analytics . 50--57.

Digital Library

[3]

Domhnall Carlin, Philip O'Kane, Sakir Sezer, and Jonah Burgess. 2018. Detecting Cryptomining Using Dynamic Analysis. In Proceedings of the Annual Conference on Privacy, Security and Trust. 1--6.

[4]

Luca Caviglione, Mauro Gaggero, Jean-Francc ois Lalande, Wojciech Mazurczyk, and Marcin Urba'nski. 2016. Seeing the Unseen: Revealing Mobile Malware Hidden Communications via Energy Consumption and Artificial Intelligence. IEEE Transactions on Information Forensics and Security, Vol. 11, 4 (2016), 799--810.

Digital Library

[5]

James Clay, Alexander Hargrave, and Ramalingam Sridhar. 2018. A Power Analysis of Cryptocurrency Mining: A Mobile Device Perspective. In Proceedings of the Annual Conference on Privacy, Security and Trust. 1--5.

[6]

Coinhive. 2019. Discontinuation of Coinhive. https://coinhive.com/blog/en/discontinuation-of-coinhive

[7]

Mauro Conti, Ankit Gangwal, Gianluca Lain, and Samuele Giuliano Piazzetta. 2019. Detecting Covert Cryptomining using HPC. arxiv: 1909.00268

[8]

Cyber Threat Alliance. 2018. The Illicit Cryptocurrency Mining Threat. https://www.cyberthreatalliance.org/wp-content/uploads/2018/09/CTA-Illicit-CryptoMining-Whitepaper.pdf

[9]

Stanislav Dashevskyi, Yury Zhauniarovich, Olga Gadyatskaya, Aleksandr Pilgun, and Hamza Ouhssain. 2019. Dissecting Android Cryptocurrency Miners. (2019). arxiv: 1905.02602

[10]

Dragos Draghicescu, Alexandru Caranica, Alexandru Vulpe, and Octavian Fratu. 2018. Crypto-Mining Application Fingerprinting Method. In Proceedings of the International Conference on Communications. 543--546.

[11]

Randi Eitzman, Kimberly Goody, Bryon Wolcott, and Jeremy Kennelly. 2018. How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners. https://www.fireeye.com/blog/threat-research/2018/07/cryptocurrencies-cyber-crime-growth-of-miners.html

[12]

Shayan Eskandari, Andreas Leoutsarakos, Troy Mursch, and Jeremy Clark. 2018. A First Look at Browser-based Cryptojacking. arxiv: 1803.02887

[13]

Xing Gao, Dachuan Liu, Daiping Liu, and Haining Wang. 2016. On Energy Security of Smartphones. In Proceedings of the ACM Conference on Data and Application Security and Privacy. 148--150.

Digital Library

[14]

Geng Hong, Zhemin Yang, Sen Yang, Lei Zhang, Yuhong Nan, Zhibo Zhang, Min Yang, Yuan Zhang, Zhiyun Qian, and Haixin Duan. 2018. How You Get Shot in the Back: A Systematical Study about Cryptojacking in the Real World. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1701--1713.

Digital Library

[15]

Danny Yuxing Huang, Hitesh Dharmdasani, Sarah Meiklejohn, Vacha Dave, Chris Grier, Damon McCoy, Stefan Savage, Nicholas Weaver, Alex C Snoeren, and Kirill Levchenko. 2014. Botcoin: Monetizing Stolen Cycles. In Proceedings of the Network and Distributed System Security Symposium .

[16]

Xuxian Jiang and Yajin Zhou. 2012. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the IEEE Symposium on Security and Privacy .

[17]

Kaspersky. 2017. Loapi -- This Trojan is Hot! https://www.kaspersky.com/blog/loapi-trojan/20510/

[18]

Radhesh Krishnan Konoth, Emanuele Vineti, Veelasha Moonsamy, Martina Lindorfer, Christopher Kruegel, Herbert Bos, and Giovanni Vigna. 2018. MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1714--1730.

Digital Library

[19]

Wanli Ma, John Campbell, Dat Tran, and Dale Kleeman. 2010. Password Entropy and Password Quality. In Proceedings of the International Conference on Network and System Security .

Digital Library

[20]

Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck. 2018. Web-based Cryptojacking in the Wild. (2018). arxiv: 1808.09474

[21]

Panagiotis Papadopoulos, Panagiotis Ilia, and Evangelos P. Markatos. 2018. Truth in Web Mining: Measuring the Profitability and Cost of Cryptominers as a Web Monetization Model. (2018). arxiv: 1806.01994

[22]

Sergio Pastrana and Guillermo Suarez-Tangil. 2019. A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth. In Proceedings of the Internet Measurement Conference. 73--86.

Digital Library

[23]

F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay. 2011. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research, Vol. 12 (2011), 2825--2830.

Digital Library

[24]

Qualcomm Technologies, Inc. 2019. Snapdragon Profiler. https://developer.qualcomm.com/software/snapdragon-profiler

[25]

Julian Rauchberger, Sebastian Schrittwieser, Tobias Dam, Robert Luh, Damjan Buhov, Gerhard Pötzelsberger, and Hyoungshick Kim. 2018. The Other Side of the Coin: A Framework for Detecting and Analyzing Web-Based Cryptocurrency Mining Campaigns. In Proceedings of the International Conference on Availability, Reliability and Security. Article 18.

Digital Library

[26]

Jan Rüth, Torsten Zimmermann, Konrad Wolsing, and Oliver Hohlfeld. 2018. Digging into Browser-based Crypto Mining. In Proceedings of the Internet Measurement Conference .

Digital Library

[27]

Muhammad Saad, Aminollah Khormali, and Aziz Mohaisen. 2018. End-to-End Analysis of In-Browser Cryptojacking. (2018). arxiv: 1809.02152

[28]

Aleieldin Salem, F. Franziska Paulus, and Alexander Pretschner. 2018. Repackman: A Tool for Automatic Repackaging of Android Apps. In Proceedings of the International Workshop on Advances in Mobile App Analysis. 25--28.

Digital Library

[29]

Sophos Labs. 2018. CoinMiner and Other Malicious Cryptominers Targeting Android. https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-coinminer-and-other-malicious-cryptominers-tpna.pdf

[30]

Kimberly Tam, Ali Feizollah, Nor Badrul Anuar, Rosli Salleh, and Lorenzo Cavallaro. 2017. The Evolution of Android Malware and Android Analysis Techniques. Comput. Surveys, Vol. 49, 4 (Jan. 2017).

[31]

Liam Tung. 2017. Android Security: Coin Miners Show up in Apps and Sites to Wear out your CPU. https://www.zdnet.com/article/android-security-coin-miners-show-up-in-apps-and-sites-to-wear-out-your-cpu/

[32]

Wenhao Wang, Benjamin Ferrell, Xiaoyang Xu, Kevin W Hamlen, and Shuang Hao. 2018. SEISMIC: SEcure In-lined Script Monitors for Interrupting Cryptojacks. In Proceedings of the European Symposium on Research in Computer Security . 122--142.

Digital Library

[33]

Wei Wang, Xing Wang, Dawei Feng, Jiqiang Liu, Zhen Han, and Xiangliang Zhang. 2014. Exploring Permission-induced Risk in Android Applications for Malicious Application Detection. IEEE Transactions on Information Forensics and Security, Vol. 9, 11 (2014), 1869--1882.

Digital Library

[34]

Lifan Xu, Dongping Zhang, Nuwan Jayasena, and John Cavazos. 2016. HADM: Hybrid Analysis for Detection of Malware. In Proceedings of the SAI Intelligent Systems Conference .

[35]

Yury Zhauniarovich, Maqsood Ahmad, Olga Gadyatskaya, Bruno Crispo, and Fabio Massacci. 2015. StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications. In Proceedings of the ACM Conference on Data and Application Security and Privacy. 37--48.

Digital Library

[36]

Yury Zhauniarovich and Olga Gadyatskaya. 2016. Small Changes, Big Changes: An Updated View on the Android Permission System. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses . 346--367.

[37]

Yury Zhauniarovich, Olga Gadyatskaya, and Bruno Crispo. 2013. DEMO: Enabling Trusted Stores for Android. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 1345--1348.

Digital Library

[38]

Yury Zhauniarovich, Olga Gadyatskaya, Bruno Crispo, Francesco La Spina, and Ermanno Moser. 2014. FSquaDRA: Fast Detection of Repackaged Applications. In Proceedings of the IFIP Annual Conference on Data and Applications Security and Privacy . 130--145.

Digital Library

[39]

Ziyun Zhu and Tudor Dumitraundefined. 2016. FeatureSmith: Automatically Engineering Features for Malware Detection by Mining the Security Literature. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 767--778.

Digital Library

Cited By

Au-Yeung JWang SLiu YChen Z(2023)Safety or Not? A Comparative Study for Deep Learning Apps on Smartphones2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00036(109-116)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00036
Badawi EJourdan GOnut I(2023)Web Scams Detection SystemFoundations and Practice of Security10.1007/978-3-031-57537-2_11(174-188)Online publication date: 11-Dec-2023
https://dl.acm.org/doi/10.1007/978-3-031-57537-2_11
Li RGadyatskaya O(2023)Evaluating Rule-Based Global XAI Malware Detection MethodsNetwork and System Security10.1007/978-3-031-39828-5_1(3-22)Online publication date: 14-Aug-2023
https://dl.acm.org/doi/10.1007/978-3-031-39828-5_1
Show More Cited By

Index Terms

Dissecting Android Cryptocurrency Miners

Recommendations

Effectiveness of Android Obfuscation on Evading Anti-malware
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

Obfuscation techniques have been conventionally used for legitimate applications, including preventing application reverse engineering, tampering and protecting intellectual property. A malware author could also leverage these benign techniques to hide ...
Hartley's test ranked opcodes for Android malware analysis
SIN '15: Proceedings of the 8th International Conference on Security of Information and Networks

The popularity and openness of Android platform encourage malware authors to penetrate various market places with malicious applications. As a result, malware detection has become a critical topic in security. Currently signature-based system is able to ...
Protecting data on android platform against privilege escalation attack
Innovative Security Technologies against Insider Threats and Data Leakage

The users of smartphones are rapidly expanding worldwide. These devices have user's security-sensitive data and are ready to communicate with the outside world. Various kinds of malware are attacking smartphones, especially Android phones, but the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy

March 2020

392 pages

ISBN:9781450371070

DOI:10.1145/3374664

General Chairs:
Vassil Roussev
University of New Orleans, USA
,
Bhavani Thuraisingham
University of Texas at Dallas, USA
,
Program Chairs:
Barbara Carminati
University of Insubria, Italy
,
Murat Kantarcioglu
University of Texas at Dallas, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 March 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Fonds National de la Recherche Luxembourg

Conference

CODASPY '20

Sponsor:

SIGSAC

CODASPY '20: Tenth ACM Conference on Data and Application Security and Privacy

March 16 - 18, 2020

LA, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
260
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Au-Yeung JWang SLiu YChen Z(2023)Safety or Not? A Comparative Study for Deep Learning Apps on Smartphones2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00036(109-116)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00036
Badawi EJourdan GOnut I(2023)Web Scams Detection SystemFoundations and Practice of Security10.1007/978-3-031-57537-2_11(174-188)Online publication date: 11-Dec-2023
https://dl.acm.org/doi/10.1007/978-3-031-57537-2_11
Li RGadyatskaya O(2023)Evaluating Rule-Based Global XAI Malware Detection MethodsNetwork and System Security10.1007/978-3-031-39828-5_1(3-22)Online publication date: 14-Aug-2023
https://dl.acm.org/doi/10.1007/978-3-031-39828-5_1
Malik AAnwar Z(2022)Do Charging Stations Benefit from Cryptojacking? A Novel Framework for Its Financial Impact Analysis on Electric VehiclesEnergies10.3390/en1516577315:16(5773)Online publication date: 9-Aug-2022
https://doi.org/10.3390/en15165773
Wu MLai YHwang YChang THsu F(2022)MinerGuard: A Solution to Detect Browser-Based Cryptocurrency Mining through Machine LearningApplied Sciences10.3390/app1219983812:19(9838)Online publication date: 29-Sep-2022
https://doi.org/10.3390/app12199838
Adjibi BMbodji FBissyande TAllix KKlein J(2022)The Devil is in the Details: Unwrapping the Cryptojacking Malware Ecosystem on Android2022 IEEE 22nd International Working Conference on Source Code Analysis and Manipulation (SCAM)10.1109/SCAM55253.2022.00023(153-163)Online publication date: Oct-2022
https://doi.org/10.1109/SCAM55253.2022.00023
Rashed MSuarez-Tangil G(2021)An Analysis of Android Malware Classification ServicesSensors10.3390/s2116567121:16(5671)Online publication date: 23-Aug-2021
https://doi.org/10.3390/s21165671
Kamišalić AKramberger RFister I(2021)Synergy of Blockchain Technology and Data Mining Techniques for Anomaly DetectionApplied Sciences10.3390/app1117798711:17(7987)Online publication date: 29-Aug-2021
https://doi.org/10.3390/app11177987
Tekiner EAcar AUluagac AKirda ESelcuk A(2021)SoK: Cryptojacking Malware2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00019(120-139)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00019
Bourebaa FBenmohammed M(2020)Android Malware Detection using Convolutional Deep Neural Networks2020 International Conference on Advanced Aspects of Software Engineering (ICAASE)10.1109/ICAASE51408.2020.9380104(1-7)Online publication date: 28-Nov-2020
https://doi.org/10.1109/ICAASE51408.2020.9380104

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents