Android security: Coin miners show up in apps and sites to wear out your CPU - Sensationalist Headlines

[QUOTE] [IMG]http://www.itp.net/images/content/591243/xlarge/15794-12scamso_xlarge.jpg[/IMG] Security researchers are concerned about the rise of cryptocurrency miners that are being embedded into websites and apps to use a device's resources without gaining permission. Security firm Trend Micro discovered three Android apps on Google Play with two different miners. Two of the apps, Recitiamo Santo Rosario Free and SafetyNet Wireless App, use the popular Coinhive JavaScript in-browser Monero miner, while a third app, called Car Wallpaper HD: mercedes, ferrari, bow and audi, includes a malicious version of the legitimate cpuminer library. Google removed the apps after being alerted to their hidden mining capabilities. The JavaScript miner runs inside the app's built-in browser but it gives no indication to the user that the miner is running. Trend Micro notes that the phone's CPU usage will be "exceptionally high" when the JavaScript code is running.[/QUOTE] [URL="http://www.zdnet.com/article/android-security-coin-miners-show-up-in-apps-and-sites-to-wear-out-your-cpu/"]Source[/URL]

I don't even know why people bother, the difficulty is such that unless millions of people use your site/app your never going to mine anything significant

[quote]wear out[/quote] [quote] causes wear and tear[/quote] That's not how CPUs work

My CPU is a living organism so that makes sense.

[QUOTE=waylander;52843616]I don't even know why people bother, the difficulty is such that unless millions of people use your site/app your never going to mine anything significant[/QUOTE] How this works now is that all websites/apps that use this are put in one large mining pool and bitcoins are distributed amongst them.

[QUOTE=waylander;52843616]I don't even know why people bother, the difficulty is such that unless millions of people use your site/app your never going to mine anything significant[/QUOTE] I mean, if they were using WebAssembly they might be getting more serious gains But you need to think about the bigger picture here. If you have millions of users, and you're connected in a pool with thousands of other websites, the earnings would not be even remotely insignificant. You know how little ads generate, right? It's not about the individual unit, it's about the whole.

[QUOTE=phygon;52843623]That's not how CPUs work[/QUOTE] There is [I]some[/I] damage that appears over time due to material migrating afaik, but afaik that's negligible compared to most other parts in a phone even if the thing's running at full power 24/7.

[QUOTE=phygon;52843630]I mean, if they were using WebAssembly they might be getting more serious gains But you need to think about the bigger picture here. If you have millions of users, and you're connected in a pool with thousands of other websites, the earnings would not be even remotely insignificant. You know how little ads generate, right? It's not about the individual unit, it's about the whole.[/QUOTE] in TBP's case i can see the value they still get a lot more traffic than i expected

[QUOTE=Tamschi;52843633]There is [I]some[/I] damage that appears over time due to material migrating afaik, but afaik that's negligible compared to most other parts in a phone even if the thing's running at full power 24/7.[/QUOTE] I mean, given that traces inside cpus are now two atoms thick and we've pushed them to the point that going any smaller results in particles quantum tunneling over transistors, I'd be surprised if you could damage any part of a cpu even 'slightly' and have the system not rendered useless immediately Then again, I don't know that much about hardware at this level. Maybe somebody else can chime in?

Even if it's not true, companies need to be up front about doing this and they all need to be opt-in. I don't need any other reason not to want it on my device other than literally "I don't want it on my device".

[QUOTE=unrezt;52843655]Even if it's not true, companies need to be up front about doing this and they all need to be opt-in. I don't need any other reason not to want it on my device other than literally "I don't want it on my device".[/QUOTE] Quite frankly? If you don't want it on your device, don't go to the website. I think that it's a shitty practice and I avoid all websites that do it. If enough other people do the same, then it will not be a problem because they will stop.

kiwi farms has a good miner system where you can choose to contribute x% of your cpu or even none at all. I don't mind it the least bit. with transparency I think it can work for some communities.

[QUOTE=phygon;52843657]Quite frankly? If you don't want it on your device, don't go to the website. I think that it's a shitty practice and I avoid all websites that do it. If enough other people do the same, then it will not be a problem because they will stop.[/QUOTE] Then the website/app better make it damn clear when I'm visiting download. Not hiding one obscurely worded sentence amongst 16000 lines of legalese terms and conditions.

[QUOTE=mdeceiver79;52843660]Then the website/app better make it damn clear when I'm visiting download. Not hiding one obscurely worded sentence amongst 16000 lines of legalese terms and conditions.[/QUOTE] Counterpoint: If you don't realize that the site is chewing up your CPU, then it isn't actually a problem because it isn't impacting your use of the site. I will gladly accept these over ads which can/do get infected regularly. I got what was essentially a drive by rootkit on my laptop from an infected ad a few weeks ago.

[QUOTE=phygon;52843679]Counterpoint: If you don't realize that the site is chewing up your CPU, then it isn't actually a problem because it isn't impacting your use of the site. I will gladly accept these over ads which can/do get infected regularly. I got what was essentially a drive by rootkit on my laptop from an infected ad a few weeks ago.[/QUOTE] And what about when I'm navigating on a laptop/phone on battery? And all of a sudden it burns off 5-15% of my battery by just reading an article for 3 minutes

[QUOTE=meek;52843659]kiwi farms has a good miner system where you can choose to contribute x% of your cpu or even none at all. I don't mind it the least bit. with transparency I think it can work for some communities.[/QUOTE] There's an app that I am looking at throwing on my old 5s and using it as a miner, can't recall the name though.

[QUOTE=phygon;52843679]Counterpoint: If you don't realize that the site is chewing up your CPU, then it isn't actually a problem because it isn't impacting your use of the site. I will gladly accept these over ads which can/do get infected regularly. I got what was essentially a drive by rootkit on my laptop from an infected ad a few weeks ago.[/QUOTE] It's pretty frustrating when I'm trying to browse the Internet while doing something CPU-intensive, only to have everything lock up because an obnoxious ad is suddenly competing for CPU cycles. I also tend to wonder what's going on when I hear my CPU fan start to spin up, especially if I'm just browsing and there's no clear cause. I'm sympathetic to website owners turning to other forms of monetization now that ads are becoming unprofitable, but tying up system resources without disclosure isn't okay IMO. I'd be perfectly okay with it as long as it's communicated to me.

[QUOTE=catbarf;52843881]It's pretty frustrating when I'm trying to browse the Internet while doing something CPU-intensive, only to have everything lock up because an obnoxious ad is suddenly competing for CPU cycles. I also tend to wonder what's going on when I hear my CPU fan start to spin up, especially if I'm just browsing and there's no clear cause. I'm sympathetic to website owners turning to other forms of monetization now that ads are becoming unprofitable, but tying up system resources without disclosure isn't okay IMO. I'd be perfectly okay with it as long as it's communicated to me.[/QUOTE] As long as it's communicated and it's properly limited to, say, 5% of CPU usage.

[QUOTE=phygon;52843623]That's not how CPUs work[/QUOTE] That's very much how CPUs work. Repeated heating cycles result in cracks in the solder joints. If you have bad luck this can result in early failure.

[QUOTE=Dr. Evilcop;52843893]As long as it's communicated and it's properly limited to, say, 5% of CPU usage.[/QUOTE] How do you expect them to be able to tell what 5% usage is? Honestly, the most we can expect is likely just legislation requiring them to report that they are doing it. [QUOTE=DrDevil;52844043]That's very much how CPUs work. Repeated heating cycles result in cracks in the solder joints. If you have bad luck this can result in early failure.[/QUOTE] Can you pull a citation on this? No processor should experience any more wear idling than it does at 100% unless your cooling isn't adequate, afaik. There were some people commenting earlier that they'd be fine with it as long as there was an option to turn it off- do you really think they would give you that option? Who on earth would leave it on? That'd be like a button to turn off all ads. A donation/subscription, sure. But just an option to disable it? No way.

Personally I'm very much against these practices, especially them becoming widespread, and I'm sure most of you are too But what would you say to the casual user's argument "What's the harm? Not like I'm using that processing power and if it lets me enjoy free content, why not?"

[QUOTE=Talishmar;52844426]Personally I'm very much against these practices, especially them becoming widespread, and I'm sure most of you are too But what would you say to the casual user's argument "What's the harm? Not like I'm using that processing power and if it lets me enjoy free content, why not?"[/QUOTE] There is no harm when they actually tell you they're doing it. The maliciousness comes from them doing it in secret

I'd rather not have random websites eat through my battery. My battery is limited enough as is.

[QUOTE=phygon;52844107]How do you expect them to be able to tell what 5% usage is?[/QUOTE] You can easily limit average CPU usage in any programming language, lol. Here's an example in C, but all it requires is a timer accurate to milliseconds. [url]https://stackoverflow.com/questions/23293157/limit-cpu-use-of-c-program[/url] Basic idea is you time how long it takes to complete one loop of whatever you're doing, then set a delay based on that time and what percentage CPU utilization you want to use. The operating system automatically knows to release the CPU to other tasks during a delay.

-this is pointless and we are arguing something that doesn't even matter-

[QUOTE=phygon;52844954]I was speaking of JavaScript being run in the browser- I might be wrong, but I don't think that you can get completely accurate or even reliable readings from a js script as far as timing goes due to the way that it runs in browsers. I made that post after searching for myself for any info on how it might be achieved, not finding much of anything. Even the thing that you posted, even though it's running directly on the host OS written in straight C, admits that it won't be completely accurate or reliable. This might also be my personal bias against JS and its reliability, though.[/QUOTE] Since when did it need to be completely accurate? Nobody is gonna care if it's actually using 4.95% or 5.25% CPU utilization instead of 5.00000%. The point was to limit CPU utilization to an acceptable level. That's how you do it in a language and platform agnostic way. And yes, it will work with Javascript. The reason it's not 100% accurate is because of how modern operating systems handle multiprogramming; you never know when the OS is going to pause your thread of execution to let another one run. It has literally nothing to do with JS and it affects [I]all[/I] userland programs regardless of what language or environment they're running in. Theoretically if you were working with, say, C, you could get more accurate by querying the operating system. Linux offers /proc/stat for example. However, for obvious reasons you wouldn't/couldn't do that in JS.

Also to address your other point it's a little bit complicated. It's pretty much heating and cooling cycles that will eventually kill your processor. Theoretically running your CPU at full utilization endlessly won't do any damage so long as you keep temperatures within operating bounds. However, having your CPU maxed out and heating up every so often - say when you visit a web page mining bitcoins - and then going back down to idle temp - when you close the website tab, for example - can do some damage over a long period of time. Phones and laptops have notoriously bad cooling (obviously) and are particularly susceptible to this, in addition to it also taking up additional battery life. Granted, this will happen during normal usage. It's just a bit scummy that your CPU's life is potentially being shortened for someone else's profits, in addition to sucking up battery life and bogging down your system, in secret.