Millions of Android smartphones have reportedly been hijacked in a drive-by cryptocurrency mining campaign. As per security researchers, over the past few months, hackers have secretly been mining Monero coins via smartphones. According to Malwarebytes researchers, the campaign was first observed in January though it had started around November last year.
According to the report, millions of Android mobile users have been redirected to a specifically designed page "performing in-browser cryptomining." Though the method, the report says, is "automated, without user consent, and mostly silent," visitors are presented with a CAPTCHA to solve to prove that they are human and not a bot.
The warning message reads as "Your device is showing suspicious surfing behaviour. Please prove that you are human by solving the captcha. Until you verify yourself as human, your browser will mine the Cryptocurrency Monero for us in order to recover the server costs incurred by bot traffic." Until a user enters the code, the smartphone or tablet continues mining Monero, damaging the device's processor.
Also see: How to Stop Websites From Using Your Phone or Computer to Mine Bitcoin and Other Cryptocurrencies
Interestingly, upon clicking entering the code, users are redirected to the Google home page, the report says. Also, the code is static and hardcoded in the page's source, making the process appear malicious. The researchers at Malwarebytes say that victims may face the forced redirection during regular browsing sessions or via infected apps with malicious ads.
"It's possible that this particular campaign is going after low-quality traffic-but not necessarily bots -and rather than serving typical ads that might be wasted, they chose to make a profit using a browser-based Monero miner," Jerome Segura, lead malware intelligence analyst at Malwarebytes, wrote in the blog post.
Malwarebytes identified five domains using the same captcha code and Coinhive site keys used for the campaign. According to the data posted on the blog, at least two websites had more than 30 million visits per month, and the domains combined yielded around 800,000 visits per day.
Unsurprisingly, Web filtering or security applications on smartphones have been highly recommended by the researchers, to prevent such hijacks. They say that forced cryptomining is now affecting mobile phones and tablets not only via Trojanised apps but also via redirects and pop-unders. Meanwhile, here is a guide on how to stop websites from using your phone or computer to mine cryptocurrencies.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.