Cryptominers found in Microsoft Store

Symantec security researchers have found about eight potentially unwanted applications in the Microsoft Store that use a victim’s computer to mine cryptic currency. That’s what IT Pro says. The apps set include battery and computer optimization. They also act as search engines and browsers.

These include Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloaders for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019 and Findoo Mobile & Desktop Search. According to the security researchers, the apps came from three developers: DigiDream, 1clean and Findoo.

Operation

Once the apps are downloaded and opened, they retrieve a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers.

“The mine-script is then activated and starts to use the vast majority of the CPU cycles of the computer to mince Monero for the operators,” according to the researchers. “Although these apps seem to offer privacy policies, cryptic currency denial is not mentioned in the description on the app store.

When an app is launched, a domain is secretly visited in the background, and GTM is triggered with the key GTM-PRFLJPX, which is shared in all eight applications. GTM is a legitimate tool that allows developers to dynamically inject JavaScript into their applications. However, the rogue developers use this to hide rogue or risky behaviour.

Lots of downloads

The apps appeared in the app store between April and December last year, according to the research. The apps were only present for a short time, but were possibly downloaded by a significant number of users. According to the researchers, almost 1,900 reviews were posted for the apps. The researchers state that they informed Microsoft and Google of the apps, after which they were removed. The JavaScript mining has also been removed from Google Tag Manager.