Google Pulls Five Mobile Wallpaper Apps Due to Bitcoin Mining Malware

Newly discovered bitcoin mining malware shows a greater degree of sophistication, says mobile security firm Lookout.

AccessTimeIconApr 24, 2014 at 10:56 p.m. UTC
Updated Sep 11, 2021 at 10:42 a.m. UTC

Lookout, a mobile security startup based in San Francisco, has identified a new type of bitcoin mining malware that targets mobile devices. Dubbed 'BadLepricon', the malware represents a more sophisticated type of mining malware attack than previously seen.

The malware was designed to be delivered via a wallpaper app. Lookout identified five separate apps that contained BadLepricon, and Google removed the apps soon after being contacted by the mobile security firm.

The company announced the discovery in a 24th April blog post, citing the specifics of the malware.

CoinDesk spoke with Michael Bentley, head of Lookout’s research and response team, who said that the malware presents a new level of sophistication not normally seen in this type of cyberattack, adding that the malware writer knew what he or she was doing.

Said Bentley:

“When [malware authors] are looking into protecting the phone, making sure certain conditions exist, and making sure you’re participating in a pool, it tells us that they are a more experienced developer.”

Botnet development

The writer of BadLepricon used a stratum mining proxy that lets the botnet operator control where bitcoins are being sent and which nodes are being mined.

Additionally, BadLepricon is designed to maximize mining output from a single device. The mining program only runs when the display is off and when the battery life is greater than 50%. This also acts to protect the phone from heat damage, which masks one of the major symptoms of a mobile-based mining malware attack. It appears that some users may have been affected.

According to Lookout, the apps had an average of 100-500 downloads before the malware was discovered.

Bentley remarked that, ultimately, these types of attacks don’t produce enough hashing power to actually solve a block or produce bitcoins. However, he expects program authors to develop more botnet-style mining malware in the future.

He said:

“As cellphone power increases, and as devices are [more] available, it’s a logical next step.”

Recent attacks

While the majority of bitcoin malware programs are focused on hacking wallets, mining malware attacks do present a threat to computer systems that can be exploited for hashing power. This was shown in a recent study published by Kapersky Labs.

announced this week that it had discovered a server breach that compromised student data. The school stated that the malware was designed to mine bitcoins, although it is unclear if the effort was successful.

BadLepricon is also not the first type of malware to disguise itself on the Google Play store. Earlier this year, two malicious apps were discovered that turned affected mobile devices into dogecoin and litecoin miners.

Password security image via Shutterstock.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.