Applications of this family are often full working copies of well-known legitimate software that has been injected with functionality for mining cryptocurrency. Mining, which is CPU-intensive, occurs only when the phone is not in use. When the phone is unlocked, all traces of mining activity are wiped with the help of previously obtained superuser rights: mining stops and the files needed for it are deleted. When needed, the application downloads mining-related information from a server.
Geographical distribution of attacks by the Trojan.AndroidOS.Coinge family
Top 10 countries with most attacked users (% of total attacks)
* Percentage among all unique Kaspersky users worldwide attacked by this malware