You could be part of a scheme to mine virtual currency and not even know it.
Researchers have discovered malware that allow nefarious developers to turn crummy apps into covert “mining” software, transforming the time consumers spend with their products into gold — or at least the digital currencies often compared to the precious metal. It’s called CoinKrypt and it can reportedly be used to create Litecoin, Dogecoin, and Casinocoin and have been built into at least one app with millions of downloads from the official Android software marketplace.
The tools are currently limited in their abilities because of the relatively feeble processors used in most smartphones and the unsophisticated nature of the malware. Lookout, the smartphone security company that discovered it, estimates that it would take an entire week to generate just 20-cents worth of value from a single smartphone with an infected app running non-stop. The tool needs a lot of work if it’s ever going to make these modern alchemists any real money.
Wired suggests that few developers will bother to invest the time into improving the software, which will always be limited by the strength of the processors to which it has access. You don’t have to worry about someone else getting rich off your unhealthy obsession with your phone — or at least not anyone counting on the creation of new coins from unproven digital currencies. But these tools remain a threat to your smartphone, and represent the bigger problem with an increasing reliance on software downloaded without a second thought to security or privacy.
The basic nature of these tools meant that anyone using infected apps for a prolonged period of time ran the risk of overheating their smartphone’s processor, which could ruin the device and force users to either go without a phone or spend a couple hundred dollars on a new one. This attempt to create virtual money threatened to damage consumers’ very real smartphones.
That some of these infected apps were able to attract downloads from the Google Play Store shows how little most consumers can do to protect their smartphones. Ars Technica reports that one app had between 10,000 and 50,000 installs before it was removed from the store; another had somewhere between 1 million and 5 million downloads before it too was removed. The people affected by these apps didn’t download their software from some shady website — they downloaded it from the software marketplace installed on most Android smartphones.
This isn’t the first time an app downloaded by millions of people from an official marketplace was revealed to be covertly mining its users’ smartphones for profit. The only difference is that this malware is mining — or, at least, as close to literally mining as the creation of fake coins can get — while the other app was metaphorically mining its users’ personal information. That app, which gathered its users’ personal information and sold it to advertisers in defiance of instructions not to, was the subject of a Federal Trade Commission investigation last year.
I covered the case when it was settled in December, concluding:
The settlement requires the app’s creator, Goldenshores Technologies, to remove all user data from its servers. The app will also have to ask users if they would like to share their personal information — and, you know, respect their decision — and make the type of data it collects and with whom the data will be shared clearer than before. Put another way, the FTC has now made Goldenshores Technologies do many of the things it professed to be doing in the first place.
This is a definite win for the “tens of millions” of people who downloaded the app. But the process through which this company’s wrongdoings were exposed and corrected is untenable. How is the FTC going to comb through the hundreds of thousands of applications available in the App Store or Google Play? How will consumers defend themselves in the meantime? The answers to those questions aren’t any clearer than they were yesterday, and this settlement is little more than a tiny ripple in what might be an incredibly large pond of dishonest app developers.
The exposure of these tools shows that this pond will continue to ripple — long after thousands, or perhaps millions, of consumers were compromised by software they believed to be safe.
[Image via Thinkstock]