The scourge of drive-by currency mining—in which websites and apps covertly run resource-draining code on other people’s devices—shows no sign of abating. Over the weekend, researchers added two more incidents: one involves more than 4,200 sites (some operated by government agencies), while the other targets millions of Android devices.
Millions of Android devices targeted
This is the second incident of surreptitious mass mining targeted millions of Android devices since as early as November, security provider Malwarebytes said Monday. The campaign presents a webpage to unsuspecting users warning that their device is showing suspicious signs. The site directs them to complete a CAPTCHA to prove their device is being controlled by a human rather than a malicious script. Until the end user completes the CAPTCHA, the device runs resource-exhausting code that mines Monero on behalf of the attackers.
A quick analysis of two of the five sites known so far to display the code-mining CAPTCHAs indicates the campaign is snaring tens of millions of devices. Results returned by SimilarWeb showed that rcyclmnr.com received 34.2 million visits since November, with 98.5 percent of the visits coming from mobile devices. A separate page used in the campaign, recycloped[.]com, received 32.3 million visits, with 95 percent of its vists coming from mobile devices.
Malwarebytes researchers estimated that the five domains collectively received an average of 800,000 visits per day. Each visit to the mining page, according to Malwarebytes, lasted an average of four minutes. The researchers said that redirect scripts were responsible, but they also suspect malicious apps may have played a role.
“Because of the low hash rate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month,” Malwarebytes lead malware intelligence analyst Jérôme Segura wrote in Monday’s report. “However, as cryptocurrencies continue to gain value, this amount could easily be multiplied a few times over.”
The minimal benefit to the drive-by mining scammers is in stark contrast to its effects on end users. Currency-mining scripts that run on PCs for extended periods of time have the potential to consume considerable amounts of electricity and even render some affected companies unable to operate because of the strain the miners put on servers and the network bandwidth the miners consume. Researchers at Kaspersky Lab, meanwhile, recently documented an Android miner that was so aggressive it physically damaged the phone it ran on.