Millions of Android devices have quietly fallen victim to a “drive-by” campaign that uses the mobile device’s computing power to mine for the cryptocurrency Monero, researchers at cybersecurity firm Malwarebtyes found.

The attack, first discovered in January, has been ongoing since at least November 2017, according to the researchers. It uses malicious advertisements that contain hidden code that, when opened on an Android device, uses the processing power of the phone or tablet to generate cryptocurrency.

The cryptomining scheme uses malvertising tactics—malicious advertisements that are served up on websites just like standard ads but contain code that can mine for cryptocurrency—to hijack a user’s device without their knowledge.

When a victim clicks on an advertisement or visits a page with the malicious ads, they are redirected to web pages that contain the cryptomining code. Once the fake site is opened, it begins to generate revenue for the attackers.

The so-call “drive-by” campaign only works when a victim visits one of the sites with the cryptomining code running on it, so the attack doesn’t necessarily present long-term harm to a user’s device.

While active, the code will use the device’s processor to generate the cryptocurrency—a task that involves solving complicated mathematical problems in order to process transactions and release additional currency.

To get the user to submit to the mining effort, it uses a clever technique to trick them. It displays a message that states, “Your device is showing suspicious surfing behavior. Please prove that you are human by solving the captcha” and provides the user with a code that they must enter to continue. One the code is entered, the script starts its mining efforts.

The attack generates Monero, a cryptocurrency that has grown increasingly popular for these types of cryptojacking attacks as it is entirely anonymous and next to impossible to trace back to a source.

Cryptojacking attacks have cropped up a number of ways online. Some websites have used the tactics to generate income without disclosing the practice to users. Cryptomining code has also been hidden in web browser extensions and other tools that hijack a user’s processor. Generally speaking, it is harmless other than using a victim’s processing power without their permission.

According to the researchers at Malwarebtyes, the drive-by campaign has been identified on five domains so far, which have amassed a total of 30 million visitors per month and average about 800,000 visitors per day.

Malwarebytes researchers have so far identified five such domains and two of them had more than 30 million visits per month and the cumulative traffic from these domains totaled around 800,000 visits per day. According to

“We believe there are several more domains than just the few that we caught, but even this small subset is enough to give us an idea of the scope of this campaign,” Jerome Segura, Malwarebytes’ lead malware intelligence analyst, said. “ It is difficult to determine how much Monero currency this operation is currently yielding without knowing how many other domains (and therefore total traffic) are out there.”

Because the attack only operates while a victim is on one of the malicious web pages, there is a relatively low yield from the attack. Malwarebtyes estimated the attackers have netted “a few thousand dollars each month” from the campaign.