Microsoft removes eight cryptojacking apps from official store

Eight Windows 10 apps removed from the Microsoft Store after getting caught mining Monero behind users' backs.
Written by Catalin Cimpanu, Contributor

Microsoft has removed from the official Microsoft Store eight Windows 10 apps that had been caught mining the Monero cryptocurrency behind users' backs for the benefit of the apps' developers.

The names of the eight apps are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search.

The apps were developed by three developers, namely DigiDream, 1clean, and Findoo. US cyber-security firm Symantec, which discovered the malicious apps last month, says evidence they uncovered in the applications' source code and adjacent domains led them to believe all eight had been developed by the same person or group, despite the different names.

According to a Symantec technical report shared with ZDNet, all apps worked in a similar fashion. All loaded the Google Tag Manager (GTM) library within their source code, through which they later downloaded and executed the actual malicious payload.

This last-stage piece of code was a pirated version of the infamous Coinhive --a JavaScript library that many hackers have secretly added on hacked sites to mine Monero using visitors' browsers.

Besides hacked sites, the library has also been used in any apps that can execute JavaScript code, such as game mods, Android and iOS apps, and, now, Windows 10 apps. This marks the first time such apps have been found on the Microsoft Store, Symantec has told ZDNet.

"These apps fall under the category of Progressive Web Applications, which are installed as a Windows 10 app running independently from the browser, in a standalone (WWAHost.exe process) window," Symantec experts said in their report, explaining how these apps were able to run the Coinhive JavaScript code, to begin with.

"A malicious URL with mining script was detected, and we backtracked to find these applications," Tommy Dong, Senior Principal Software Engineer at Symantec, told ZDNet. "Symantec AV can convict generic JS-based cryptocurrency mining disregarding any domain."

Users who installed these apps over the past few months would have seen their CPU usage go through the roof, as the Coinhive miner would consume all available resources to mine Monero for the app devs.

"There is no throttling which means it uses up 100% of user's CPU time. Opening the app will cause a detectable spike in CPU usage," Dong told us.

Because the Microsoft Store doesn't list install count stats, it's impossible to say how many users were affected, however, Symantec pointed out that the apps had thousands of reviews, suggesting they were somewhat popular --although this can't be extremely accurate either, as there are online services that sell fake reviews on the Microsoft Store.

The apps are what security researchers would normally call cryptojacking apps or cryptominers. Cryptojacking, is a cyber-security-related term that is used to describe the practice of mining cryptocurrency behind a user's back.

Because of the sudden rise in cryptocurrency prices that occurred in mid-2017, cryptojacking --first done inside browsers and later using dedicated software on servers-- is one of today's most prevalent forms of cybercrime, with some groups making millions of US dollars in profits.

2018's worst cryptocurrency scams, cyberattacks (in pictures)

Related security coverage:

Editorial standards