Bitcoin-Mining android malware found on Google Play Store

No matter how much Security mechanism Google try to implement to keep the malware from getting placed in Google Play store, Cyber Criminals are still able to upload their malicious apps.

We recently learned a 'fake' android anti-virus application found on Play Store and tricked more than 10,000 users into buying it.  But, Google which doesn't want to lose its reputation gave refund and $5 promo credit to those individuals scammed by this app.

Now, Researchers from Security firm LookOut have spotted another set of malicious apps on Google's Play store which turns the infected devices into a distributed bitcoin mining system.

Dubbed as 'BadLepricon', the malware disguise itself as a Live wallpaper app for android.  These five malicious apps had been downloaded between 100-500 times before Google removed them.

It seems like cybercriminals' interest in using the infected android devices to mine cryptocurrencies is increasing day by day.

Last month, LookOut reported that CoinKrypt malware hijacked mobile phones in order to use it to generate digital currency.  Few days back, TrendMicro also discovered a Java RAT which is capable of abusing the android devices to mine Litecoin.

Bitcoin stealing Mac malware found to be hosted on Download.com and MacUpdate.com

Image Credits: ThreatPost.
Another variant of the recently discovered Mac Trojan "OSX/CoinThief" is found to be hosted on two popular download websites Download.com and MacUpdate.com.

CoinThief malware is designed to steal Bitcoins login credentials from victim as well as Mac's username and UUID(unique identifier), also collects information about the list of Bitcoin related apps installed on the system.

Few days back, SecureMac spotted this Trojan is being hosted under the name of "Stealthbit" on GitHub and downloaded by hundreds of users.  One user from reddit also pointed out the similarity between an one year old fake bitcoin related app "BitVanity" and stealthbit.

Now, experts at SecureMac have spotted one more variant being hosted under the name of "Bitcoin Ticker TTM" and "Litecoin Ticker" on popular download sites.  These app names appear to have been taken from legitimate apps in the Mac app store.

This version also installs fake browser extension called as Pop-up Blocker in Chrome, safari and firefox.  The malicious extension attempts to sniff on the web traffic to steal  bitcoin login credentials.  It will communicate with the background process and send collected data to a remote server.

SecureMac has explained how to check whether malware is installed on your system and how to remove this CoinThief malware.

The developer of legitimate Bitcoin Ticker TTM app said he has no connection with download.com & Macupdate.com and recommends users to download the app from Mac app store.

StealthBit: New malware targeting Apple Mac OS X steals Bitcoins

A new Trojan Horse targeting Apple Mac OS X spies on web traffic of users and attempt to steal Bitcoins.  SecureMac says the malware referred as "OSX/CoinThief.A" is found in the wild.  Several users have reported that their Bitcoins have been stolen.

The malware hosted in Github with the name "StealthBit" disguising itself as an app to send and receive payments on Bitcoin Stealth Addresses.  A link to this project had also been posted in reddit  inciting users to download the app and have been voted by 100 people. 

The project had source code as well as a pre-compiled binary file.  Researchers say the binary file didn't match with the copy generated from source code. Those who installed the pre-compiled version of the app likely to be infected by this malware.

One user from reddit reported that his 20 Bitcoins(current value is around $10k) have been stolen by this malware app.

"I foolishly installed 'StealthBit' Anyone else find this to be a virus? The Post is still online.. I found 1 comment suggesting the possibility. https://pay.reddit.com/r/Bitcoin/comments/1wqljr/i_was_bored_so_i_made_bitcoin_stealth_addresses/" The user posted in the reddit.

Upon running the app for the first time, it installs browser extensions for Safari and Google Chrome and runs continually a program in background that looking for Bitcoin Wallet login credentials. The malware then steals Bitcoin login credentials, username and Unique identifier of infected Mac.

At the time of writing, the malicious project have been removed from the GitHub. 

It appears this is not the first time Mac users being fooled such kind of malicious apps.  One user shared his experience that he was scammed by similar app called "Bitvanity" which was also hosted in Github, stole 20 BTC from his account.

The user also has pointed out interesting facts about these two projects- The "StealthBit" hosted by "Thomas Revor" and "Bitvanity" was hosted by "Trevorscool".

Fake Facebook page serves Fake Flash player containing Miner

Now a days, Cyber Criminals have more interest in Bitcoins and Mining than the victim's information. Here is another example that shows the interest of cybercriminals.  


Security Researcher at MalwareBytes has come across a fake facebook video page that displays a message "An update for Youtube flash player is needed" and downloads fake flash player file.


Once user opened the fake flash player, it drops a couple of executable files namely "control.exe" and "svhost.exe".

Svchost.exe attempts to join a P2Pool - a decentralized Bitcoin mining pool that works by creating a peer-to-peer network of miner nodes.  However, it failed to connect.  The dropped miner is being detected as PUP.BitCoinMiner.

Users are always recommended to download the software from trusted and directly from the software provider. 

Citadel Malware targets Bitcoin users, takes screenshots of browsers


Virtual currency Bitcoin become the most hot topic in the Internet after its value recently reached unbelievable level.

We recently aware that cyber criminals breached Bitcoin related websites to steal the Bitcoins.  There are also malware that will install Bitcoin Miner in victim's machine(eg: ZeroAccess).

Trusteer’s Security team have come across a new variant of Citadel malware which targets Bitcoin users capable of capturing screenshots of victim's browser whenever they visit Bitcoin related websites.

It also targets other virtual currency related websites such as Yandex money(money-yandex.ru), Webmoney.ru, QIWI.ru, Perfect Money(perfectmoney.com).