Cryptojackers on Google Play: How to Avoid Being a Victim to This Malware

Security researchers at Kaspersky have identified various apps and games in the Google Play store that have a secret function: they’re using your Android device’s processor to mine cryptocurrencies.

Worried that your phone’s recent slowdown might be because it’s getting old? Well, hold that upgrade: it could be down to Android cryptojacking. Here’s what’s going on, and what you can do to stop it.

Cryptomining Malware on Android

In April 2018, Kaspersky revealed that it had discovered a cryptomining campaign on Google Play, and advised Google of the details. In short, this meant that a bunch of apps and games had been cryptojacking users. This is using their phone or tablet’s CPU to mine cryptocurrencies, usually Monero.


To find out more about this, I spoke to Francis Dinha. As the CEO and co-founder of OpenVPN (the open-source VPN protocol with a focus on security), Dinha is a respected cyber security voice.

Describing an active campaign of cryptojacking (which Dinha also refers to as “drive-by mining”), he explained that miners are “being secretly embedded in mainly gaming and sports streaming apps […] and targeting millions of Android device users.” There is also news of other apps hiding cryptojacking scripts, including some that claim to offer VPN functionality.

Several approaches are used by the scammers behind these cryptojacking campaigns. Dinha told me that “a few off-the-shelf Monero mining tools have come into circulation, one of which is Coinhive. These tools accomplish Crypto-jacking by hiding a Coinhive JavaScript miner within the app or on a normal website.”

When the JavaScript code runs, it then utilizes your Android device’s CPU to mine Monero for the app’s developers.

Note: Even websites can run Coinhive without your knowledge. We’ve previously looked at websites that use your CPU for cryptocurrency mining.

The Cryptojacking Risk to Android Users

As Dinha notes, “The apps appear to have legitimate functionality, yet the real goal is to provide CPU power to mine a cryptocurrency called Monero.” Getting these apps listed on Google Play appears to have been based on producing apps that run as per the description, and hiding the cryptojacking code within the app.

Worryingly, Google Play’s checks are not in-depth enough to spot cryptominers. We’ve already seen how copycat apps manage to get through the screening process.

Having this sort of software on your smartphone is a bit of a risk to system stability. It might also reduce the lifespan of your device. “Draining a device CPU could lead to super slow functionality,” says Dinh. “Long-term overheating could ultimately damage the device.”

It’s difficult to tell if an app or game that you have installed has a cryptojacking miner hidden within. However, in some cases you can tell if your device has been subjugated to the cryptomining shenanigans of a scammer. Your phone may slow, and your web browser may open popup windows.

However, Dinha isn’t confident that it is easy to spot cryptojacking:

“Some of these malicious programs are quite advanced and are able to monitor CPU usage and even the temperature of the device to avoid causing the user to suspect the app.”

How Can You Stop Hidden Cryptominers?

Although Google has addressed the issue, and begun removing suspicious apps from the Play Store, there is every chance that other apps (perhaps by other scammers) might repeat this.

Francis Dinha gives us three basic rules for protecting against this malware:

  1. Be wary of free applications.
  2. Don’t install apps from untrusted sources.
  3. Keep your device updated.

It is worth checking your device CPU’s performance, regardless of any steps taken by the scammers to hide activity. Dinha advises users to “go to task manager settings and check to see if the device CPU performance is unusually high. If so […] shut down or close running apps. If there is no change in performance… suspect a malicious malware.”

We should underline this. Using an Android device to mine cryptocurrency can cause considerable damage to the phone. Some phones might be totally unsuitable, and lock up when the mining script is launched. Others might appear to manage the extra load, but run hotter than usual.

As a rule of thumb, your smartphone shouldn’t be running consistently hot. This is why smartphone cameras shut off on hot days when in video mode. Basically, hot phones are a problem!

Watch That Battery Usage!

There are other steps to take if you suspect cryptojacking, or just want to check. Android makes it simple to determine the battery usage of particular apps, which can provide you with clues. Avoid apps that claim to boost your battery, though, as they’re mostly useless and could even be mining Monero on your phone themselves.

Meanwhile, you should always be confident of the developer’s reputation before you install an app. Big-name developers, and those with a good history of strong apps, should be trustworthy. No-name developers are more likely to sneak cryptojacking into their apps.

Finally, consider a mobile security tool. These can detect miners, including those sneaky ones that don’t overheat your phone.

Android Cryptojacking: Don’t Get Jacked!

Cryptojacking is a concerning new cybersecurity development, and one that requires vigilance. When there is an opportunity to make money, scammers will take it. They’ll use any means at their disposal, even if that means your mobile device.

So, bear in mind Dinha’s recommendations, and stay alert for drive-by-mining scripts with a few important guidelines:

  1. Be wary of free applications.
  2. Avoid untrusted third-party marketplaces.
  3. Rely on trusted app publishers.
  4. Always update your device.
  5. Watch CPU performance.
  6. Monitor your phone’s temperature.
  7. Install reputable security software on Android.

For help with antivirus tools, see our list of the best Android apps, which includes a section on security apps. Meanwhile, be aware that cryptojacking is a risk on desktops as well as Android.