Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cryptojacking Applications Land in Microsoft Store

Eight applications designed to mine for crypto-currency without users’ knowledge made their way into the Microsoft Store, Symantec has discovered. 

Eight applications designed to mine for crypto-currency without users’ knowledge made their way into the Microsoft Store, Symantec has discovered. 

The apps surreptitiously use the victim’s CPU power to mine for Monero and landed in the application marketplace as computer and battery optimization tutorial, internet search, web browsers, and video viewing and download programs. They target both Windows 10 and Windows 10 S. 

Although they were published in the Microsoft Store under three different developer accounts, namely DigiDream, 1clean, and Findoo, the programs were likely built by the same person or group, Symantec says. 

After being downloaded and executed, the apps would fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The script starts using the majority of the computer’s CPU cycles to mine Monero for the perpetrators. 

The offending applications were published in the application store between April and December 2018, most toward the end of the year. Despite being available for a relatively short period of time, however, the apps appear to have been downloaded by a significant number of users. 

“Although we can’t get exact download or installation counts, we can see that there were almost 1,900 ratings posted for these apps. However, app ratings can be fraudulently inflated, so it is difficult to know how many users really downloaded these apps,” Symantec notes. 

When launched, the apps silently visit a domain in the background and trigger GTM, a legitimate tool for developers to inject JavaScript dynamically into their applications. 

All eight apps were found to share the same key GTM-PRFLJPX and to connect to the same remote location, a coin-mining JavaScript library. The script is a version of the Coinhive library, a script designed to mine for Monero. 

“These apps fall under the category of Progressive Web Applications, which are installed as a Windows 10 app running independently from the browser, in a standalone (WWAHost.exe process) window,” Symantec reports.

After finding the servers for each of these applications, the security firm discovered that all servers have the same origin, suggesting that a single developer might be behind all of them. 

Both Microsoft and Google were informed on the malicious behavior, which resulted the removal of the apps from the Microsoft Store and of the mining script from Google Tag Manager.

Related: Cryptocurrency Theft Tops $1 Billion in Past Six Months

Related: Downsides and Dangers of Cryptominers

Related: Is Cryptojacking Replacing Ransomware as the Next Big Threat?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.