Warning: More iOS Devices Are Infected by Cryptocurrency Mining Malware

In the mobile computing and gadgets world, Android has been the whipping boy when it comes to the issue of security vulnerabilities and mobile malware penetration exploits. Many have lauded Apple, as its very nature of maintaining a walled garden produces a more secure environment for users downloading apps from a list of highly vetted App Store.

However, this is no longer true today, based on the report released by CheckPoint, a cybersecurity consulting firm. The bottom line is the new types of malware are not in the business of causing an infected device to be unusable, but rather to co-exist with it for long-term benefits. This is what Checkpoint highlighted in their report, that crypto-mining malware infected iPhones are seen in the wild more and more, to the tune of 400% increased infection frequency.

The primary culprit is the CoinHive cryptomining virus, which runs conveniently on a browser like Safari in iPhones. With users of iPhones being confident with the use of their devices, they end-up visiting websites hosting CoinHive. Malicious JavaScript code on those sites is enough to take-over Safari, running the coin miner in the background without the user’s knowledge.

“Crypto-mining continues to be the dominant threat facing organizations across the world. The attacks on Apple devices are not using any new functionalities. The reason behind the increase is not yet known but serves to remind us that mobile devices are an often-overlooked element of an organization’s attack surface. It’s critical that mobile devices are protected with a comprehensive threat prevention solution, to stop them being the weak point in corporate security defenses,” explained CheckPoint in their official blog.

CoinHive is first discovered more than a year ago, September 2017. Being a malware running on-top of a vulnerable browser, it was developed and continue being optimized as an OS-agnostic virus. As Windows has a built-in antivirus in the form of Defender, while Linux often receives updates as soon as an exploit is discovered and patched the most vulnerable platform is the mobile computing.

This leaves both Android and iOS as the growth areas for. Unfortunately, for an iPhone user, Apple has not developed any security software built-in with their devices. Android by default comes with Google Play Protect, a rudimentary antimalware service which scans the device for virus infection during an app update from the Play Store. Such proactive service does not exist in any iOS device.

Aside from the iOS device cryptocurrency malware vulnerability, the CheckPoint report also stated the top 10 malware for the month: (direct quotes)

1. ↔ Coinhive – Crypto-miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses a great deal of the computational resources of end users’ machines to mine coins, and may crash the system.
2. ↔ Dorkbot- the worm designed to allow remote code execution as well as downloading an additional malware to the infected system.
3. ↑ Cryptoloot – Crypto-miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a lower percentage of revenue from websites.
4.    ↔ Andromeda – A modular bot used mainly as a backdoor to deliver additional malware on infected hosts that can be modified to create different types of botnets.
5. ↔ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency, and other incentives.
6. ↑ Roughted – Large-scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
7. ↓ Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies, and personal data.
8. ↓ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in-the-wild on May 2017.
9. ↔ Conficker – A worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
10. ↑ Emotet – Emotet is a Trojan that targets the Windows platform. This malware sends out system information to multiple control servers and can download configuration files and other components. It, reportedly, targets customers of certain banks and hooks various APIs to monitor and log network traffic. The malware creates a Run key registry entry in order to get started after system reboots.