Google Pulls Five Mobile Wallpaper Apps Due to Bitcoin Mining Malware

Newly discovered bitcoin mining malware shows a greater degree of sophistication, says mobile security firm Lookout.

AccessTimeIconApr 24, 2014 at 10:56 p.m. UTC
Updated Sep 11, 2021 at 10:42 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Lookout, a mobile security startup based in San Francisco, has identified a new type of bitcoin mining malware that targets mobile devices. Dubbed 'BadLepricon', the malware represents a more sophisticated type of mining malware attack than previously seen.

The malware was designed to be delivered via a wallpaper app. Lookout identified five separate apps that contained BadLepricon, and Google removed the apps soon after being contacted by the mobile security firm.

The company announced the discovery in a 24th April blog post, citing the specifics of the malware.

CoinDesk spoke with Michael Bentley, head of Lookout’s research and response team, who said that the malware presents a new level of sophistication not normally seen in this type of cyberattack, adding that the malware writer knew what he or she was doing.

Said Bentley:

“When [malware authors] are looking into protecting the phone, making sure certain conditions exist, and making sure you’re participating in a pool, it tells us that they are a more experienced developer.”

Botnet development

The writer of BadLepricon used a stratum mining proxy that lets the botnet operator control where bitcoins are being sent and which nodes are being mined.

Additionally, BadLepricon is designed to maximize mining output from a single device. The mining program only runs when the display is off and when the battery life is greater than 50%. This also acts to protect the phone from heat damage, which masks one of the major symptoms of a mobile-based mining malware attack. It appears that some users may have been affected.

According to Lookout, the apps had an average of 100-500 downloads before the malware was discovered.

Bentley remarked that, ultimately, these types of attacks don’t produce enough hashing power to actually solve a block or produce bitcoins. However, he expects program authors to develop more botnet-style mining malware in the future.

He said:

“As cellphone power increases, and as devices are [more] available, it’s a logical next step.”

Recent attacks

While the majority of bitcoin malware programs are focused on hacking wallets, mining malware attacks do present a threat to computer systems that can be exploited for hashing power. This was shown in a recent study published by Kapersky Labs.

announced this week that it had discovered a server breach that compromised student data. The school stated that the malware was designed to mine bitcoins, although it is unclear if the effort was successful.

BadLepricon is also not the first type of malware to disguise itself on the Google Play store. Earlier this year, two malicious apps were discovered that turned affected mobile devices into dogecoin and litecoin miners.

Password security image via Shutterstock.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.