Google has removed five wallpaper apps from the Play store said to be secretly using mobile resources to mine bitcoins.
According to security firm Lookout, the applications run when the display is off, draining the battery.
The bug, BadLepricon, operates similarly to the other bitcoin mining malware, targeting devices an active internet connection and more than half the battery left.
Researchers said a recent mining experiment using 600 quadcore servers could only generate 0.4 Bitcoins per year, with malware makers directing their efforts towards "low-hanging fruit" to maximise resources.
Lookout security researcher Meghan Kelly said miners often don't work alone because of the difficulty of bitcoin mining,
"Instead, they work in groups, pooling their processing resources," Kelly added in a blog. "They collect payment as a percentage of the processing power they contribute,"
In order to control the sometimes thousands of bots, the malware author may use a proxy to set up one point of contact.
BadLepricon uses a Stratum mining proxy, allowing the author to easily change mining pools or connections to Bitcoin wallets.
The apps were variously themed around anime girls, "epic smoke" and attractive men, and had been installed 100-500 times each at the time of removal.
After installation, BadLepricon entered an infinite loop, checking every five seconds for battery level, connectivity, and whether the phone's display was on. It also made use of WakeLock, a feature that ensures that your phone doesn't go to sleep even if the display is off.
Absolute® Software specialises in technology and services for the management and security of mobile computers and smartphones.