Coinhive Discovered in 19 Google Play Apps

The cryptocurrency-mining script Coinhive was discovered within 19 different Google Play store apps, hidden inside HTML files in the apps’ asset folders. After the user launches the malicious app, it opens a WebView browser instance that runs the mining script in the background. Most of these apps have not been installed on many devices; however, one particular app was downloaded between 100,000 and 500,000 times. Mining activity conducted on mobile devices can result in reduced battery life, poor performance, overheating, and the risk of permanent, physical damage to internal components. The NJCCIC recommends Android users review the Sophos report for additional details and a list of the malicious apps. If users have downloaded and installed affected apps, we recommend uninstalling the apps immediately and scanning affected devices with a reputable antivirus solution. Thoroughly research apps prior to installation by reading user reviews and searching for information about the developer. Additionally, carefully monitor devices for any sudden changes in performance such as unexplained high CPU usage indicative of cryptocurrency-mining activity.