Menu
Attackers place crypto-jacking apps in Microsoft App Store

Attackers place crypto-jacking apps in Microsoft App Store

Microsoft has removed eight applications from its app store for Windows that were mining Monero crypto-currency without users' knowledge

In January, security researchers from Symantec found crypto-mining applications in the Microsoft App Store, but they were published in the store between April and December 2018.

It's not clear how many users downloaded or installed the apps, but they had almost 1,900 user ratings.

The rogue applications posed as browsers, search engines, YouTube video downloaders, VPN and computer optimisation tutorials and were uploaded by three developer accounts called DigiDream, 1clean and Findoo.

However, the Symantec researchers believe the apps were created by a single person or the same group of attackers since they all share the same origin domain on the backend.

"As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers," the Symantec researchers said in a report on Friday.

"The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators. Although these apps appear to provide privacy policies, there is no mention of coin mining on their descriptions on the app store."

The programs were published as Progressive Web Applications (PWA), a type of app that works as a web page but also has access to the computer hardware through APIs, can send push notifications, use offline storage and behave a lot like a native program.

Under Windows 10, these applications run independently from the browser, under a standalone process called WWAHost.exe.

When executed, the applications call GTM, a legitimate service that allows developers to dynamically inject JavaScript into their applications. All the applications use the same unique GTM key, which further suggests they were created by the same developer.

The script loaded by the apps is a variant of Coinhive, a Web-based cryptocurrency miner that has been used in the past by attackers to infect websites and hijack visitors' CPU resources.

"We have informed Microsoft and Google about these apps’ behaviours," the Symantec researchers said. "Microsoft has removed the apps from their store. The mining JavaScript has also been removed from Google Tag Manager."

This incident shows that cryptocurrency mining remains of high interest to cyber criminals. Whether it's to hijack people's personal computers or servers in data centres, they are always on the lookout for new ways to deploy coin-miners.

Over the past two years, attackers have launched coin-mining attacks through Android apps hosted on Google Play, through browser extensions for Google Chrome and Mozilla Firefox, through regular desktop applications, through compromised websites and now, through Windows 10 PWA.

There are also a variety of botnets that infect Linux and Windows servers with crypto-currency mining programs by exploiting vulnerabilities in popular web applications and platforms.

Users are often advised to only download applications from trusted sources, whether on their mobile devices or computers. However, with rogue apps frequently finding their way into official app stores, relying only on that advice alone for protection is no longer an option.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftappssymantec

Featured

Slideshows

Reseller News kicks off awards season in 2019 with Judges' Lunch

Reseller News kicks off awards season in 2019 with Judges' Lunch

The 2019 Reseller News Innovation Awards has kicked off with the Judges Lunch in Auckland with 70 judges in the voting panel. The awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors. Photos by Christine Wong.

Reseller News kicks off awards season in 2019 with Judges' Lunch
Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomed 2018 inductees - Chris Simpson, Kendra Ross and Phill Patton - to the third running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem. Photos by Gino Demeer.

Reseller News welcomes industry figures for 2019 Hall of Fame lunch
Upcoming tech talent share insights at inaugural Emerging Leaders Forum 2019

Upcoming tech talent share insights at inaugural Emerging Leaders Forum 2019

The channel came together for the inaugural Reseller News Emerging Leaders Forum in New Zealand, created to provide a program that identifies, educates and showcases the upcoming talent of the ICT industry. Hosted as a half day event, attendees heard from industry champions as keynoters and panelists talked about future opportunities and leadership paths and joined mentoring sessions with members of the ICT industry Hall of Fame. The forum concluded with 30 Under 30 Tech Awards across areas of Sales, Entrepreneur, Marketing, Management, Technical and Human Resources. Photos by Gino Demeer.

Upcoming tech talent share insights at inaugural Emerging Leaders Forum 2019
Show Comments