Android Emulators - Beware of Hidden Miners

[mclaren85]

Couple of days ago I've installed Nox Android Emulator (www.bignox.com) but after a day or two, my antivirus alarmed me of 2 suspicious files. Threats are "hicksaw.exe" and "sysve32.exe". Apperantly these two files were part of a snaky GPU Miner of which I've also accesed its config files. That is what I've seen in the config file:

{
	"algo": "cryptonight-heavy",
	"background": false,
	"colors": true,
	"retries": 5,
	"retry-pause": 5,
	"syslog": false,
	"print-time": 60,
	"av": 0,
	"safe": false,
	"cpu-priority": null,
	"cpu-affinity": null,
	"threads": 4,
	"pools": [
		{
			"url": "loki.miner.rocks:5555",
			"user": "LK8CGQ17G9R3ys3Xf33wCeViD2B95jgdpjAhcRsjuheJ784dumXn7g3RPAzedWpFq364jJKYL9dkQ8mY66sZG9BiD3STV3eFM8YBAdnja4",
			"pass": "x",
			"keepalive": false,
			"nicehash": false,
			"variant": 1
		}
	],
	"api": {
		"port": 0,
		"access-token": null,
		"worker-id": null
	}
}

In the config file you can see the "loki.miner.rocks"

and the user name :"LK8CGQ17G9R3ys3Xf33wCeViD2B95jgdpjAhcRsjuheJ784dumXn7g3RPAzedWpFq364jJKYL9dkQ8mY66sZG9BiD3STV3eFM8YBAdnja4"

Then I visited the website and put the user name and Bingo! I've accessed the hacker's mining page, here it is:

Try it for yourself 

https://loki.miner.rocks

LK8CGQ17G9R3ys3Xf33wCeViD2B95jgdpjAhcRsjuheJ784dumXn7g3RPAzedWpFq364jJKYL9dkQ8mY66sZG9BiD3STV3eFM8YBAdnja4

 

And think not twice, but thrice before installing Android Emulators.

 

 

[Thrandisher]

And damn, I was just thinking on installing that again.

[software182]

WTF, did you download it from official site ? if it's true than this is really really bad news

[mclaren85]

43 minutes ago, software182 said:

WTF, did you download it from official site ? if it's true than this is really really bad news

Yes of course I've downloaded from official site. Look there are other news from various sources

 

https://www.bleepingcomputer.com/news/security/andy-os-android-emulator-reportedly-installing-a-gpu-miner/

https://www.reddit.com/r/noxappplayer/comments/7vrm2t/cryptocurrency_malware_miner_bundled_in_nox_6/

https://www.reddit.com/r/BlueStacks/comments/7vlqnj/cryptocurrency_malware_miner_bundled_in/

 

Andy, bluestacks, nox etc..

[steven36]

So now Nox doing it too ?  Android emulator Andy OS  has been doing  it for months . Looks like it's spreading

https://betanews.com/2018/06/18/andy-os-bitcoin-miner/

 

If you want it to make the news post it here 

https://old.reddit.com/r/Android/

[mostwanted]

This is getting ridiculous now our software has it too. I've already had to get android extensions to block websites from mining my cpu/gpu. ?

[mclaren85]

2 minutes ago, mostwanted said:

This is getting ridiculous now our software has it too. I've already had to get android extensions to block websites from mining my cpu/gpu. ?

Which extension is that?

[steven36]

5 minutes ago, mclaren85 said:

Which extension is that?

You can block the website in you're host file then it cant drop a miner if using it on windows or Linux  . Its a problem on Amazon Fire TVs  as well but the ones for  Android Emulators are too exploit windows.    if you use any 3rd party software that is too do with streaming  you should block known crtyo miners in host block.

here are many more urls

https://github.com/hoshsadiq/adblock-nocoin-list/blob/master/hosts.txt

 

thanks for the new one adding it to host block

[Rekkio]

15 minutes ago, mclaren85 said:

Which extension is that?

 

Not the OP, but I use this: https://chrome.google.com/webstore/detail/minerblock/emikbbbebcdfohonlaifafnoanocnebl

It uses a blocklist + behavioral detection to block cryptominers

 

[mclaren85]

11 minutes ago, steven36 said:

You can block the website in you're host file then it cant drop a miner if using it on windows or Linux  . Its a problem on Amazon Fire TVs  as well but the ones for  Android Emulators are too exploit windows.    if you use any 3rd party software that is too do with streaming  you should block known crtyo miners in host block.

here are many more urls

https://github.com/hoshsadiq/adblock-nocoin-list/blob/master/hosts.txt

 

thanks for the new one adding it to host block

That is what I was looking for. Thanks!

[steven36]

1 minute ago, mclaren85 said:

That is what I was looking for. Thanks!

you need to add the one you found  as well

 

heres one i fond that  not on the list yet

0.0.0.0 updatecenter.net 

 

but nod32 detects it and i verified its being used too drop trustedinstaller.exe  bitcoin miner .

 

[straycat19]

Seems like the initiative is to go to coin miners since everyone is blocking adds.  I have seen some sites that give a choice before entering, either turn off adblockers or allow its miner.  Otherwise you can't use the site.  There have been several articles concerning this turn of events.

[bubbada]

can these miners be removed from the (nox) program?

[mclaren85]

5 hours ago, bubbada said:

can these miners be removed from the (nox) program?

impossible unless you disassemble it and recompile it again .

[sc02f]

How about Memu?

[DKT27]

Normally we do not allow non-articles to be posted in news sections of the forums. But this deserves to be here. Good work finding this.

[mclaren85]

3 hours ago, sc02f said:

How about Memu?

I'm sorry but:

 

 

[I Am Negan]

Couldn’t somebody make a repack and remove all the bad stuff?

[steven36]

54 minutes ago, I Am Negan said:

Couldn’t somebody make a repack and remove all the bad stuff?

It seems to be coded into the app to call out to the url and install the miner . Not and open source app  no way  so even if you knew how to code there is no info on it . only way a repack would help would be if it was in the installer because that's all a repack is another installer were they sometimes crack the app and repackage  it sometimes they may remove languages and read mes to make it smaller  . Most repackers  here on nsanefourms can be trusted if you knew them for awhile, but i seen repacks in the past that hat bitcoin miners  in them lol .

 

Like you install IDM and get a free gift .So be careful installing them from users you don't know, someone could put ransomware  or a miner in one.  I don't never use repacks because it's easy enough to run a patch or use a  keygen or serial yourself and most any installer that has adware in them can simply be blocked with a firewall  and they can't call home to install it. I do use portables from people  ive knew for awhile but that is so i don't have to install something . Malware could be in a crack, but it's more likely to be in a app  than a crack,  from my years of messing with warez most hits on cracks are just false positives, most hits i seen on installers  on warez sites was real malware. But there are exceptions were some installers were clean that had false positives. Avast flagged some of my legit programs  back when i used it in the past and before they been cases of antivirus getting bad signatures and deleting stuff in windows were you could not boot back up after a  antivirus update.

[I Am Negan]

Well thats disappointing. I think ill stay with bluestacks.

[steven36]

8 minutes ago, I Am Negan said:

Well thats disappointing. I think ill stay with bluestacks.

It happen to someone before about 5 months ago it didn't seem to happen to everyone that uses NOX.

https://old.reddit.com/r/noxappplayer/comments/7vrm2t/cryptocurrency_malware_miner_bundled_in_nox_6/

 

And  i dont see no one complaining about it

https://old.reddit.com/r/noxappplayer/

 

Thats what is strange about it, maybe certain conditions has to be made it don't seem to be added by the DEV or everyone would be infected seems there is a hackers out there compromising apps  . It can happen using Bluestacks , kodi and other apps that need internet or from a web browser . miners are everywhere now.