Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cryptojacking Applications Land in Microsoft Store

Eight applications designed to mine for crypto-currency without users’ knowledge made their way into the Microsoft Store, Symantec has discovered. 

Eight applications designed to mine for crypto-currency without users’ knowledge made their way into the Microsoft Store, Symantec has discovered. 

The apps surreptitiously use the victim’s CPU power to mine for Monero and landed in the application marketplace as computer and battery optimization tutorial, internet search, web browsers, and video viewing and download programs. They target both Windows 10 and Windows 10 S. 

Although they were published in the Microsoft Store under three different developer accounts, namely DigiDream, 1clean, and Findoo, the programs were likely built by the same person or group, Symantec says. 

After being downloaded and executed, the apps would fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The script starts using the majority of the computer’s CPU cycles to mine Monero for the perpetrators. 

The offending applications were published in the application store between April and December 2018, most toward the end of the year. Despite being available for a relatively short period of time, however, the apps appear to have been downloaded by a significant number of users. 

“Although we can’t get exact download or installation counts, we can see that there were almost 1,900 ratings posted for these apps. However, app ratings can be fraudulently inflated, so it is difficult to know how many users really downloaded these apps,” Symantec notes. 

When launched, the apps silently visit a domain in the background and trigger GTM, a legitimate tool for developers to inject JavaScript dynamically into their applications. 

All eight apps were found to share the same key GTM-PRFLJPX and to connect to the same remote location, a coin-mining JavaScript library. The script is a version of the Coinhive library, a script designed to mine for Monero. 

Advertisement. Scroll to continue reading.

“These apps fall under the category of Progressive Web Applications, which are installed as a Windows 10 app running independently from the browser, in a standalone (WWAHost.exe process) window,” Symantec reports.

After finding the servers for each of these applications, the security firm discovered that all servers have the same origin, suggesting that a single developer might be behind all of them. 

Both Microsoft and Google were informed on the malicious behavior, which resulted the removal of the apps from the Microsoft Store and of the mining script from Google Tag Manager.

Related: Cryptocurrency Theft Tops $1 Billion in Past Six Months

Related: Downsides and Dangers of Cryptominers

Related: Is Cryptojacking Replacing Ransomware as the Next Big Threat?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.