It’s been difficult to escape the hype around cryptocurrencies recently. It seems that everywhere you look, there is some new story focused on a topic that just three years ago wasn’t even an official word.

It’s no different in the world of mobile security either. Cryptojacking has become one of the hottest new threats for security teams to worry about. This technique involves the use of scripts that run on webpages or in mobile apps. These scripts are designed to harvest the processing power of the user’s device to mine for cryptocurrency.

What is cryptojacking and why should I care?

Currencies such as Bitcoin, Ethereum and Monero are all continually ‘mined’ by using distributed computing resources to work out problems that generate ‘hashes’. Anyone can use their machines to process new coins in this way, but with cryptojacking, website owners and app developers are able to harness the CPU of their audience instead, earning them cryptocurrency in the process. The biggest cost of mining new coins is electricity, and so by using these scripts that cost is passed onto the user.
Individually, the amount earned from each device is minuscule, but when running on thousands of devices cryptojacking can prove to be quite lucrative. Coinhive, the most popular mining plugin, earns owners Monero – a currency that has risen in value by more than 400% in the last six months.
Many app and site owners have seen it is as a potential alternative to advertising revenue, asking users to contribute a portion of their CPU instead of exposing them to unwanted adverts. The Pirate Bay experimented with this model, hosting Coinhive on the filesharing network’s web properties to offer visitors with an alternative to ads. Wandera estimates of the amount generated by mobile traffic to the domain would be worth around $4,500 per month, using late November Monero prices (source: CoinGecko, SimilarWeb) – unlikely to be enough to replace the lost revenue from advertising.
However, in many cases these scripts are being implemented onto sites without the owner’s knowledge. Indeed, this was the case when the Coinhive code was discovered on the CBS Showtime website, and the official website of Cristiano Ronaldo. Hackers could have earned more than $40,000 in Monero with the ‘stealth’ usage of the cryptojacking script. It’s also important to note that, unlike Bitcoin, Monero’s transaction history is entirely private, making it more appealing to attackers seeking to convert it to cash.
Compounding this stealth implementation problem is the concern that users do not give consent to website hosts to use their device’s CPU. In attempt to address this, Coinhive have released AuthedMine, which prompts users before executing the script. Few sites have adopted this new version, however, and according to AdGuard more than 33,000 websites are currently running cryptojacking scripts, including at least 220 of the top 100,000 most trafficked sites.
Many hackers are offering legitimate (or seemingly useful) services, such as calculators, music videos and battery performance sites, that then stealthily mine Monero in the background.

How prevalent is cryptojacking?

Wandera conducted an analysis of 100,000 sampled devices in its network of corporate-assigned smartphones and tablets. These devices are protected by Wandera’s mobile security solution, and so does not include connections to cryptojacking services that were blocked by security administrators.
The data reveals a number of interesting findings. Firstly, mobile is increasingly becoming a target for cryptomining hackers, with the number of mobile devices connecting to cryptojacking sites and apps growing by 287% between October and November. Almost all of the exposed users are unaware that the script is running on their device.
Furthermore, more than a quarter (28.8%) of organizations had at least one mobile device running a cryptojacking script in November. At 1,098 of 100,000 sampled devices, more than 1% of corporate devices ran a cryptojacking script at some point in November, peaking at 562 per 100,000 devices on November 23rd.
The most common sites hosting crypojacking scripts on mobile were legally-dubious streaming services, followed by those hosting adult content.

What’s so bad about cryptojacking?

Well aside from the risk of an unwanted cryptojacking script on your own website, as a mobile user or a business responsible for mobile-enabled employees there are things you should consider when it comes to cryptojacking.
Devices running these scripts are susceptible to rapid battery drain. Wandera researchers found that a fully charged iPhone 7 with an open browser tab on a Coinhive-enabled web page would be depleted in under two hours. Devices running these scripts get hot and may be permanently damaged – Wandera tests revealed that devices rose to more than 20 degrees celsius hotter than the recommended maximum temperature for those handsets.
Although cryptojacking is not as severe as a phishing or traditional malware attack, it is something most organizations would not wish to be exposed to and may pose a significant indirect cost in productivity and remediation.

How does it spread?

Hackers have been known to insert Coinhive code into themes and plugins available for web tools such as WordPress and Drupal, helping expose other organizations’ websites to the cryptomining script. Many mobile sites, however, will be deliberately running the plugin with full knowledge of the owner.
In light of the fact that scripts like Coinhive can be installed on almost any app or website, links to these services can be accessed from anywhere. Wandera research found users of Facebook, Instagram, Pinterest and LinkedIn all exposed to links containing the Coinhive plugin, meaning effective prevention of cryptojacking cannot happen at the distribution level.

Why mobile?

Mobile is increasingly becoming a target for cryptomining hackers, with the number of mobile devices connecting to cryptojacking sites and apps growing by 287% between October and November 2017. Almost all of the exposed users are unaware that the script is running on their device, in part due to the unique nature of mobile. It is rarely immediately obvious that a script is running at all and, unlike desktop, mobile web browsers often make it difficult to see which tabs are currently open.
Attackers are employing this technique as it holds several advantages over other forms of mobile attack. Firstly, unlike malware strains such as ransomware, it can quietly lurk in the background, undetected by the target. Secondly, it is much easier to distribute as it does not require any kind of compromise of the device’s security. With no need to bypass security systems or install any rogue software, it is far simpler to effectively undertake the attack. This also means that endpoint-based or app-only security solutions are unable to prevent the threat.

How can I prevent cryptojacking?

Not all businesses will see cryptojacking as a critical threat, but most will see it as an unnecessary drain on resources and an unwanted presence in their device fleet. Employees and members of the public exposed to unconsented cryptojacking will also likely see this as an undesirable threat.
Unlike app-only threat defense solutions, Wandera operates both on the device and in the network. That means that connections to services such as Coinhive can be intercepted in transit, allowing admins to block cryptojacking scripts from executing while still allowing the user to access the apps and webpages.
Admins are recommended to use the ‘cryptocurrency’ category to block access to cryptojacking and other cryptocurrency sites, and implement exceptions if they wish to allow certain legitimate such services for employees.
To see an example of cryptojacking in action, you can visit our fake iOS battery checker and help earn us a few cents in the process.
[text-blocks id=”phishing-report”]