Eight Malicious Crypto-Mining Apps Removed From Microsoft’s Windows App Store

Microsoft has removed eight applications from its Windows App Store that were mining Monero crypto-currency without the knowledge of users.

The illicit eight crypto-jacking Windows 10 applications were discovered by the cybersecurity company, Symantec in the month of January this year. Apparently, these apps were published in the Microsoft Store between April and December 2018, but many of them were published only towards the end of the year.

“On January 17, we discovered several potentially unwanted applications (PUAs) on the Microsoft Store that surreptitiously use the victim’s CPU power to mine cryptocurrency. We reported these apps to Microsoft and they subsequently removed them from their store,” Symantec said in a blog post.  

For those unfamiliar, crypto-jacking, also often referred to as drive-by mining, is the process whereby hackers and websites host sections of code that have the ability to secretly siphon off your computer processing unit’s (CPU) power towards mining cryptocurrency for the offenders to make money from.

According to Symantec, all eight apps are likely developed by the same person or group. “The apps – which included those for computer and battery optimization tutorials, internet search, web browsers, and video viewing and download – came from three developers: DigiDream, 1clean, and Findoo. In total, we discovered eight apps from these developers that shared the same risky behavior. After further investigation, we believe that all these apps were likely developed by the same person or group,” Symantec added.

All the malicious apps that ran on Windows 10, including Windows 10 S Mode were Progressive Web Apps (PWAs). These are web applications that load like regular web pages or websites but can offer user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications. PWAs combine the flexibility of the web with the experience of a native application.

Ironically, Microsoft’s Windows 10 S Mode is the most secure Windows 10 version, as it restricts app downloads to the Microsoft Store.

“As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators. Although these apps appear to provide privacy policies, there is no mention of coin mining on their descriptions on the app store.” Symantec said.

The eight crypto jacking apps were published in the Store by three developers, “DigiDream”, “1clean”, and “Findoo”. These apps are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browser+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, Findoo Mobile & Desktop Search.

All the eight apps collectively boasted over 1,900 reviews. However, since the app ratings can be fraudulently inflated, it is currently unclear how many of these app ratings and downloads are legal.

If you have installed any of the above-mentioned apps, it is suggested that you uninstall them as soon as possible. It is recommended that you keep your software up to date and avoid downloading apps from unfamiliar sites. Only install apps from trusted sources. Also, closely monitor CPU and memory usage of your computer or device.

Source: Symantec