
Apps with millions of Google Play downloads covertly mine cryptocurrency - OWaz
http://arstechnica.com/security/2014/03/apps-with-millions-of-google-play-downloads-covertly-mine-cryptocurrency/
======
devindotcom
This is pretty hilarious. Given how small the load can be to automatically
contribute hashes to a pool for ___coin, I expect more of these in the future,
but smarter. Runs for 5 seconds per minute on ten million devices for six
months? That's no joke with some of the hardware out there.

It's _this_ close to a victimless crime (that is, unless the victim gets their
CPU/GPU fried, as has happened with these nets before). But what about apps
that use spare cycles while you're plugged in, or above 75% battery, or
between hours x and y, to mine dogecoins for charity? People would voluntarily
submit to that!

~~~
UweSchmidt
It's the disdain for the user. Take their data, use their CPUs, whatever.
Users are dumb, they won't notice, and hey, the app's free anyway.

Back in the day, the software on my "Personal Computer" was my friend. It was
all wonderful things to have and to learn about.

Looking at my smartphone that's right here on my table, it's shiny, but I've
long felt a distinct lack of control over the thing. And now this: Hello - any
of you apps mining anything right now in there?

~~~
clef
I Just use the factory apps and have nothing else installed, this way no one
mines anything out of me.

~~~
qq66
Except Google mining all your data (if you use Android)

~~~
Yetanfou
That would be strange, given that the only Google-produced code on my Android-
running phone comes from AOSP and has had plenty of eyes (and network
sniffers, and firewalls, etc) on it to weed out any such mining.

If you run Google applications (on Android or on iOS or elsewhere) you send
data to Google. If you don't want to send data to Google, don't run Google
applications. The same goes for Apple applications which phone home to Apple,
Microsoft applications to Microsoft, etc.

Android works fine without Google applications ('gapps'). It does not need the
Google Services Framework to survive. You don't need the (horribly named)
'play store'. Nor Gmail, Google Maps, Google+, etc. This is one of the big
differences between Android and the other bigger players in this field - you
have a choice.

------
changdizzle
This is alarmingly similar to the ESEA situation where ESEA (a premium
membership gaming community) discreetly built a bitcoin miner into their anti-
cheat client [1], fried some users' graphics cards and were found out then
fined $1MM. [2]

[1] [http://www.theverge.com/2013/5/2/4292672/esea-gaming-
network...](http://www.theverge.com/2013/5/2/4292672/esea-gaming-network-
bitcoin-botnet) [2]
[http://www.wired.com/wiredenterprise/2013/11/e-sports/](http://www.wired.com/wiredenterprise/2013/11/e-sports/)

------
incomethax
This could be an interesting model to do out in the open. Rather than covertly
mine cryptocurrency, say that the app is free if you contribute hashes to a
pool, or you can buy the premium version that doesn't.

Almost like the "slow" version vs the "fast" version of an app.

~~~
clef
Didn't this idea start with SETI@home in the 90's ?

~~~
incomethax
The idea of sharing computation cycles certainly did, however, converting
those computation cycles into currency so it can fuel other "real" work is
most definitely a by-product of bitcoin.

------
svas
<shameless plug>

I've been working on an idea similar to this for a few months. Instead of
limiting this to crypto currency mining (a fair application, FWIW), why not
approach this with the idea that people plugging in their phones every night
could easily constitute the _largest_ distributed supercomputer ever built?
Everyone has the same nightly ritual: Wake up, use phone/tablet/device, plug
in at night. Once it's plugged in, your phone charges to 100% after a few
hours, and then essentially sits there for x hours effectively doing nothing
(that's a little sensationalist, but it highlights my point). Folding@Home, et
al have done this before, but the silver bullet here is that no one turns off
their phone when it charges at night - perhaps to maintain the off chance they
receive a random 4 AM phone call.

Now if you can combine this with an SDK (say... something Javascript based)
that makes it easy to write/deploy compute jobs/"apps", you have a real
distributed computing platform. You can also maintain security by using a
similar proof-of-work scheme that bitcoin uses to prevent fraudulent mining.

The real challenge here is incentivizing people to run your app. Here's my
sign up form for an early private beta for anyone who is interested.

[http://stynt.co](http://stynt.co)

~~~
dclusin
I thought of this as well, but more along the lines of protein folding. I
think finding a cure for one of those diseases would be more than enough for
most people to justify the power consumption.

~~~
svas
Folding@Home, and the BOINC network over at Berkeley have done a great job at
this already. [http://boinc.berkeley.edu](http://boinc.berkeley.edu)

There's still an immense opportunity to tap unused cycles if you give people
another reason to donate their device time. Unfortunately, altruistic purposes
don't always appeal to the masses :-)

------
herf
These schemes mostly just convert electricity to cryptocurrency. The
electricity is almost always more expensive than the value, but the app
authors aren't paying the bill.

If you're plugging in your 5W charger for less than half the day, the limit is
maybe $2/year/user, assuming you can get away with it for a year...

~~~
TrainedMonkey
$2 is way too high. I would say a cent per week tops.

~~~
warp
Let's say 5W for 8 hours per day, that's 14 kWh per year.

Last year I paid 17.51 eurocents per kWh, so it would be EUR 2.45 per year for
me ($3.37 per year).

~~~
TrainedMonkey
My bad, I thought you are talking how much could be made with the phone
mining.

------
DigitalSea
I think what surprises me most about this situation is that even though the
supposed offending apps, Songs in particular has been downloaded and installed
between one and five million times but only possibly generated the author a
few thousand Dogecoin. Seems like a big risk for a few dollars, wouldn't
advertisements be more profitable option?

~~~
scott_karana
Doesn't the app have ads in addition to the mining aspect?

As someone pointed out in a similar past thread, 1 coin for $0 of energy is
still an infinite profit.

~~~
MichaelGG
That's putting a value of zero on being fined (or worse). I don't think the
risk is non-zero. Just takes one zealous AG to file a case against you (even
if you're out of jurisdiction, there's a non-zero chance you might end up
passing through at some point).

~~~
scott_karana
Yes, that's definitely true. I don't know what kind of vetting is performed
for free apps on the Play Store, but for all we know, couldn't it be someone
pseudonymous in a non-extradition country uploading via Tor?

------
logicchains
I wonder how viable doing this openly would be as a free-to-play business
model? Being upfront with the user: "we're not going to show you any ads and
you won't have to pay anything for extra content, but we'll be using a tiny
proportion of your CPU time to mine cryptocurrency to pay for the development
costs of this app."

~~~
kevingadd
It was done secretly in the recent past, and apparently while it lasted
(weeks, i think?) it brought in something like $6k. It helps that most gamers
have fairly powerful graphics cards.

If you mapped bitcoins mined to microtransaction currency (for in-game
rewards) most players would love it.

~~~
ckuehl
Not sure if this is what you're referring to, but this was done last year in
secret by ESEA, a US gaming league (primarily Counter-Strike) [1].

They claim the value was almost USD$4,000 over about two weeks, although we
don't really know how many users were affected and for how long. This doesn't
seem like an extraordinary amount, though, especially if we're talking about
using mobile phones instead of high-end gaming PCs.

[1] [http://www.pcgamer.com/2013/05/01/esea-accidentally-
release-...](http://www.pcgamer.com/2013/05/01/esea-accidentally-release-
malware-into-public-client-causing-users-to-farm-bitcoins/)

------
diminoten
> the purveyor of the apps subsequently earned thousands of Dogecoins

So like 5 bucks?

------
apaprocki
Careful.. The New Jersey DA is trying to go after an MIT student for simply
exploring the freemium mining concept at a hackathon. He got MIT and the EFF
to back him, but there are probably others looking to make an example out of
someone.

[http://venturebeat.com/2014/02/12/new-jersey-slaps-mit-
bitco...](http://venturebeat.com/2014/02/12/new-jersey-slaps-mit-bitcoin-
hackers-with-subpoena-and-theyre-fighting-back/)

~~~
ethanbond
Yep, at RPI we had a research project doing something a bit similar by tying
bitcoin transactions to the HTTP protocol itself to enable on-the-fly payments
with an alternative of on-the-fly mining.

RPI lawyers told us to stop after we asked for counsel due to money
transmitter laws. A few months later the MIT kid got hit with a subpoena.
Bullet dodged for us but I really hope he pulls through with a win.

~~~
endersshadow
This is the thing that worries me the most about Bitcoin and other
cryptocurrencies--because I want them to succeed--there are myriad laws
surrounding money transfers, especially electronically. There are tax
implications, as well. There are also huge trade agreements internationally--
and even intranationally--that come into play, as well. Banks and credit card
companies currently handle most of the legality of these things, but with
cryptocurrencies, there are no banks--these are essentially cash transactions.

I expect more and more folks will start to "discover" the real legal
implications of some of these types of applications. I'm sure we'll see some
story or what have you, and we'll all cry foul, even though the laws have been
in place for many years and we mostly (albeit somewhat unknowingly) abide by
them.

I also expect that folks will "discover" why we have central banks for
currencies, and why Alexander Hamilton was a Smart Guy.

While cryptocurrencies are new, the problems they'll face aren't--in fact,
we've solved these problems mostly in developed countries. They still exist
pretty readily in developing countries, though. What happens when we start
selling securities based around cryptocurrencies, such as derivatives? If you
think the SEC will allow Americans to buy, sell, and even _discuss_ securities
openly, you are out of your mind.

What about money laundering? When/if you ever work for a bank or an investment
firm in the US, you'll take some training around money laundering (there are
even tests at the end). The SEC (allegedly) holds these firms responsible for
spotting, reporting, and stopping money laundering schemes. What happens when
money laundering happens over an exchange? How will that be handled?

Sorry for the long-windedness...your anecdote just got me thinking.

------
kawliga
I wonder if one could create a pyramid scheme app out of this? An invite only
one.

1st guy - 100% mining load & all profit.

2nd and 3rd guy split the mining load and 99.99% of the profit.

and so on...

~~~
kawliga
wait... forget invite only - anyone could download.

Your rank would depend upon how early you became a member and how often you
leave the app running. The mining load would increase/decrease depending upon
how many users are running the app at the time.

Also, place ads on the app.

~~~
riffraff
[http://wowsuchponzi.com/](http://wowsuchponzi.com/)

------
IgorPartola
I wonder if the new mobile GPU's are any good at mining scrypt-based
currencies. It's possible that this could be fairly profitable. I don't think
that long term this is going to replace ads though. Cryptocurrencies are too
volatile at this point and I'd wager that ads are going to continue being much
more profitable.

------
wcfields
I had this as a day dream a month ago. Though it would work as in-app currency
that I would give to the users and the servers / aws bill would be subsidized
by the collective micromining.

------
blueskin_
This is why the permissions model needs to be improved - not just to
deny/grant normal ones, but also to stop apps from unexpectedly running in the
background.

------
zemanel
Saddens me how low people can go for one or many bucks.

------
yoodenvranx
Are there any example where somebody used Javascript on a website to do
something like this?

------
vlasev
Why not make an app that uses your phone during charging at night to mine
coins for charity?

------
ryeguy_24
Sorry, irrespective of the legality or morality, this is quite a creative
idea.

------
stefan_kendall3
Users don't want to pay, and they don't want ads.

The scale has to tip eventually.

~~~
dublinben
Thankfully there's an excellent repository full of free software with no ads.

F-Droid.org in case you've never heard of it.

------
Rasmase
What is the hashrate on these? Could'nt imagine it being very high...

------
donniezazen
No wonder Songs is an app to download pirated Bollywood songs.

------
lazylizard
for all that trouble why don't they(makers of these apps) just buy a pc with a
pair of reasonable ati cards?

~~~
kevingadd
For a F2P app, the cost of doing this is basically 0 and the revenue will
continue to increase as long as the app keeps getting popular. Doesn't matter
if the revenue is small, it's still more revenue from your F2P app.

~~~
MichaelGG
Certainly some jurisdiction might decide this isn't "fair" and attempt
prosecution? May be worth a headline somplace near election time.

------
gargarplex
am curious which if any android AV providers caught this

------
signa11
would you like 1024 chickens or 2 oxen ?

------
rmrfrmrf
It's always good to see Android users enjoying their freedom from Apple's
tyranny.

