Google recently announced its plan to curtail the distribution of cryptocurrency mining apps on the Play Store, but it appears some are still slipping through the net.
“We don’t allow apps that mine cryptocurrency on devices,” the Big G wrote in its updated developer policies last month. “We permit apps that remotely manage the mining of cryptocurrency.”
But this isn’t stopping developers from pushing smartphone mining software to the Play Store anyway.
Mining app JSEcoin
One such example is JSEcoin, a British blockchain startup working on browser-based mining solutions as an alternative stream of avenue to advertising. Earlier this week, the company announced it successfully rolled out its mobile app to the Play Store.
Among other things, the app came with functionality to manage your mining efforts remotely; or if you prefer, to mine cryptocurrency directly on your mobile device. Even though the latter feature goes against Google’s new policy, the search engine giant approved the app for listing.
We reached out to JSEcoin co-founder and chief technology officer, John Sim, to ask him if the app is indeed mining directly on mobile devices. “That is correct,” he told Hard Fork in an email. “We have additionally reached out to the Google Support team to confirm if we are allowed to allow our users to mine our tokens via our official app – as we are aware of their restriction policy.”
We also asked Google for a clarification on how its new cryptocurrency mining policy is enforced. “We regularly update our developer policies, in accordance with current best-practices, to maintain a safe and positive experience for developers and consumers on Google Play,” a spokesperson told Hard Fork.
Moments later, the JSEcoin app was nowhere to be found on Google Play.
Sim informed us that Google had suspended the app, citing a violation of its terms. “Unfortunately even with low power [and] CPU consumption use, we are not allowed to enable mining,” he told us.
“We don’t allow apps that mine cryptocurrency on devices,” read a message from Google that JSEcoin shared with Hard Fork.
“We will be following up with [Google] this month to see what options we have available to us.” Sim continued, adding the company has since pushed another version of its app to the Play Store – one without a smartphone mining capability.
But despite its prompt intervention, it appears Google is not all that consistent in enforcing its rules. “I can see another unofficial JSEcoin Mining app that has been on there since beginning of this year that has not been removed,” Sim told us. (Please note we have not confirmed if the unofficial app comes with on-device mining capabilities. Sim, however, confirmed the app is not developed by JSEcoin.)
The tip of the iceberg
Naturally, as JSEcoin was able to launch a mining app after the Google policy update, we were intrigued as to the whether they were alone. As it turns out, JSEcoin is just one of many so-called “mining apps” that are – at the time of writing – still live on the Play Store.
One app we found, called MinerGate, has been live for over a year and has over 1,000,000 downloads. Among other things, the app makes it possible to mine Monero directly on your phone. “Start mining cryptocurrencies on the go,” its description reads. “Most promising altcoins, such as Monero and Bytecoin.”
“Make a mobile crypto fortune with MinerGate,” the marketing text continued.
In its 8,000-plus reviews, some MinerGate users claim great profits, while others cite issues such as an inability to transfer any mined coins to a useable wallet, calling the app a scam.
We reached out to MinerGate’s developers to discuss how the app mines, but received no response.
However, we were able to confirm the app indeed supports on-device mining (with a little help from security researcher Troy Mursch from Bad Packets Report). At least MinerGate wasn’t lying about it.
We even downloaded the app to see for ourselves, and in the space of ten minutes, as we should have expected, our device got hot and the battery drained much faster than normal.
We also used a mobile web traffic monitoring solution to confirm that MinerGate is indeed mining. We shared the traffic logs with Mursch, who assured us MinerGate is “1000 percent” mining.
“In general, cryptocurrency mining is solving a difficult mathematical problem for a monetary reward. This same principle applies to Monero,” Mursch told Hard Fork. “The hashing process itself is CPU intensive because any given hash can’t be reverse engineered and essentially has to be calculated via brute force.”
That is also why your phone gets hot when mining.
“A mined hash consists of the last block in the blockchain plus a nonce. A nonce is a randomly generated number used once,” Mursch continued. “[The logs you shared] show these elements.”
In short, this shows that the app is communicating with a mining pool to confirm and add blocks to a blockchain – it’s mining.
Along with MinerGate, there are still plenty of other apps that claim to be able to mine cryptocurrency, generating profit directly from your smartphone. Although, we haven’t confirmed that these are actually mining, XDA developers still list five that claim to do so on the Play Store. Namely: MinerGate (which we already discussed), Crypto Miner PRO, Pocket Miner, AA Miner, and NeoNeonMiner. We also found Pickaxe Miner, Bitcoin Miner and Free BCH Miner.
The developer of Crypto Miner PRO, Jesus Oliver, has five cryptocurrency mining apps to their name that are still available on the Play Store. It would appear that the Big G haven’t followed up on their promise of banning apps of this nature.
Should we worry?
However these mining apps are part of a much bigger issue, which has seen Google do little more than make policy changes to protect its Play Store users from malicious cryptocurrency apps.
In all fairness, this is hardly the first time Google has been caught allowing potentially dangerous apps on the Play Store. In a way, the cryptocurrency ban is a direct response to the risk of crypto-jacking scripts.
Outlawing on-device cryptocurrency mining apps on the Play Store is a move designed to protect against malicious developers, seeking to profit on the backs of users.
“I think this is a good move,” security researcher Lukas Stefanko told Hard Fork about the Google Play crypto-mining ban. “Banning mining apps makes sense because most of them were just adware, fake apps, or simply mining for the developer – not the user.”
Mursch tends to agree with Stefanko. “I think it’s [a] fair ban given the surreptitious nature we’ve see with crypto-jacking,” he told us. “Most users are unaware of the repercussions involved with mining cryptocurrency on a mobile device.”
Then there is the risk of physical damage. “If you leave a mobile device plugged in while mining cryptocurrency unthrottled, there is a legitimate risk it could lead to physical damage.”
However, removing the apps from the Play Store creates another concern. There will always be people who want to mine cryptocurrency, and they will do it anyway they can. Removing the apps doesn’t mean they won’t be available elsewhere.
What we may see is the rise of third-party cryptocurrency mining apps that users must install from untrusted developers. This opens the door for more malicious, illegitimate apps, which could cause possible permanent damage to users’ devices.
It’s clear that Google need to sharpen up when it comes to enforcing their policy updates. But even if these mining apps do get removed, it doesn’t mean that the world will be entirely safe from crypto-jacking or cryptocurrency mining malware.
Smartphones are not cryptocurrency miners. As Mursch puts it: “mobile devices are not designed, nor optimized to mine cryptocurrency.”
Update August 17, 15:10 PM UTC: Google has since contacted Hard Fork to clarify developers have 30 days to ensure their apps adhere to its revised policies. This would explain why certain mining apps (listed before last month’s ban) continue to appear on the Play Store.
That said, it remains unclear how JSEcoin’s app managed to slip through Google’s protective filters. We await their response.
Disclaimer: This piece mentions several startups that are running (or planning to run) initial coin offerings. Please note that we are not in any way endorsing any of these companies. Do your own research before investing.
Published August 17, 2018 — 14:39 UTC