BadLepricon Mobile Malware Mines for Bitcoin Gold

  • April 25, 2014
  • 2 min read


A new mobile malware that turns your device into a Bitcoin mining bot has been discovered on Google Play. Known as BadLepricon, the malware is propagated through Trojan downloads disguised as live wallpaper apps that display pictures of attractive men, women, and unique graphic designs. In the background, the malware actually uses infected Androids’ computing resources to earn cryptocurrency for its author.

A (Bad) Background

Hijacking computers to mine for cryptocurrency is not a new development. As is currently stands, however, Bitcoins have reached such a level of cryptographic complexity that it requires a massive amount of computing power to create new ones. For this reason, authors who create “Bitcoin mining botnets” usually focus on targets that can provide a large amount of computing power – as was done in a recent attack against servers at Iowa State University. Malware mining attackers have also been known to directly target PCs in hopes that they will somehow infect and combine the power of millions of devices, as was seen in Emsisoft’s discovery of the Linkup ransomware. That BadLepricon has been designed to target Android devices is therefore incredibly ambitious, as each individual device provides very little computing power. Nevertheless, Bitcoin miners can be extremely demanding to an Android’s hardware and can actually overheat and destroy the device.

How Does It Work?

Though they may never make any money, the makers of BadLepricon have actually implemented a number of capabilities that prevent the malware from overworking an infected device. This implies that said creators are either incredibly polite, or that they have realized that an overheated Android is likely to arouse suspicion.

In addition to mining for Bitcoins, BadLepricon actually monitors battery life, screen display, and network connectivity every 5 seconds. In order not to overwork its host, the malware will only engage in Bitcoin mining if the Android has over 50% battery life, its screen display is off, and it is not actively searching for a network connection.

These capabilities work to hide the malware from user detection and represent an evolution in mobile Bitcoin mining malware. Past variants – which infected up to 5 million devices – did not feature such functionality, and as a result were quickly detected when users noticed that their devices were running hot.

How Can I Stay Protected?

Users running Emsisoft Mobile Security are automatically protected from this threat and other mobile miners of the like. Additionally, we recommend un-checking the Android setting that enables downloads from unknown sources. As of April 24th, BadLepricon has been officially flagged as malicious by Google and removed from Play, however the recent shift towards mobile malware indicates that similar threats are likely to emerge again.

Have a Great (Mobile-Malware-Free) Day!



Freelance writer and security enthusiast based in the USA.

What to read next

Reader Comments