STE WILLIAMS

Google has cracked down on apps that mine for cryptocurrency, banning them entirely from its official Google Play Store.

The company quietly updated its developer policy page with the following statement:

We don’t allow apps that mine cryptocurrency on devices. We permit apps that remotely manage the mining of cryptocurrency.

The policy change means that programs using the device’s own processing power to mine cryptocurrency will no longer be allowed in the official Google Play Store, but that Google is still OK with programs that manage cryptocurrency mining services operating elsewhere.

The move mirrors one by Apple, which banned cryptocurrency miners from its stores in June. It also follows other measures by Google to stamp out cryptocurrency mining programs delivered via its products and services. In April, it banned cryptocurrency mining extensions for its Chrome browser from the Chrome store.

This may stop cryptomining, where people voluntarily give up their phone’s processing power to generate digital coins. It is less likely to stop cryptojacking, where apps deliver a legitimate service but also do some cryptomining on the side without the user’s explicit consent.

Cryptojacking has been a growing problem in Android apps. Last year, cryptomining code was found in several apps that had been approved by the Google Play Store. In April, researchers discovered that users had downloaded various Play Store apps that secretly mined for cryptocurrency more than 100,00 times.

A lot of cryptojacking malware is delivered under the radar, because the apps download their malicious code after the user has installed them. Some of them retrieve their cryptojacking code via mobile ads. This makes it harder for Google’s automated malware scanning tools to find them. Google has in the past removed apps that it discovered were cryptojacking.

The search giant has also had to clean up its own YouTube network after it found the ads delivered via the Google-owned DoubleClick advertising service were turning viewers into cryptocurrency miners without their knowledge or consent. It had to erase the ads, which used JavaScript code, to stop them compromising users’ computers and mining using their processing power.

The wording in Google’s developer policy is scant, and there was nothing on the Android or Android Developers’ blog about it at the time of writing, but perhaps we can find some guidance in its explanation for the Chrome cryptomining ban. It said:

Until now, Chrome Web Store policy has permitted cryptocurrency mining in extensions as long as it is the extension’s single purpose, and the user is adequately informed about the mining behavior. Unfortunately, approximately 90% of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply with these policies, and have been either rejected or removed from the store.

It’s also worth pointing out that the consequences for badly-managed mining on a phone can be more severe than on a PC. The Loapi malware, which mined for cryptocurrency without the user’s consent, wrecked a phone in 48 hours by overloading its processor so much that the battery swelled up and burst the phone’s case.

The ban will make the anti-cryptojacking stance official, but it will also hit cryptomining apps, which allow users to willingly use their phone power to mine apps. The brief wording in Google’s developer policy suggests that even apps mining with the user’s consent will be axed.

Several well-known mining apps were still available on the Google Play store at the time of writing, including Pocket Miner, AA Miner, and NeoNeonMiner. Perhaps Google hadn’t completely enacted its rules yet. It took two months to scrub mining extensions from the Chrome store after the Chrome mining crackdown, so this isn’t entirely surprising.

Follow @DannyBradbury
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1VUo4I1SKuY/