In a blog post about their discovery, Lookout explains how the malware functioned.
These apps did fulfill their advertised purpose in that they provided live wallpaper apps, which vary in theme from anime girls to “epic smoke” to attractive men. However, without alerting you in the terms of service, BadLepricon enters into an infinite loop where — every five seconds — it checks the battery level, connectivity, and whether the phone’s display was on. … It does this almost as a courtesy to your phone. Miners, when left unchecked, can damage a phone by using so much processing power that it burns out the device. In order to avoid this, BadLepricon makes sure that the battery level is running at over 50 percent capacity, the display is turned off, and the phone network connectivity. … If you’re a piece of malware, watching the phone’s battery power is a good way of hiding your activities as well.
According to Lookout, each app had between 100 and 500 downloads, meaning that only a relatively small amount of devices could be infected. The post also claimed that it was extremely unlikely that the low-powered processors in the infected phones would have yielded any meaningful bitcoin or alt-coin rewards.
The people behind this malware decided to go for these “low-hanging fruit” coins because you can actually mine more coins with less computing power. … But even then it’s not that lucrative. A phone’s computing power doesn’t actually result in that many coins. Every coin has a difficulty rate, which is determined by the amount of computing power needed to mine that coin and other factors. The difficulty for Bitcoin is so tough right now that a recent mining experiment using 600 quadcore servers was only able to generate 0.4 Bitcoins over one year.
The Lookout post noted that BadLepricon uses the Stratum mining proxy, allowing the malware controller to easily switch to the most lucrative cryptocurrencies and mining pools with ease.