• These apps secretly mined the open-source cryptocurrency Monero by exploiting users' devices.
  • Upon being informed about the apps, Microsoft removed the malicious apps from the app store.

Recently, Microsoft Store was found to have eight malicious apps that would steal cryptocurrency as well as use affected devices for crypto mining. Security firm Symantec discovered these cryptomining apps when analyzing the app store for vulnerabilities.

The apps which were meant for functions such as browsing, downloading videos, and more, came from three developers namely DigiDream, 1clean, and Findoo. It is suspected that these three developers are from a single group or person.

All these apps were published in 2018. Moreover, they were listed on the top free app lists to lure users into downloading them. In their blog, Symantec explain the methodology of these apps.

Exploiting GTM for cryptomining

“As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators. Although these apps appear to provide privacy policies, there is no mention of coin mining on their descriptions on the app store,” indicated the blog.

GTM is a tool which allows developers to manage JavaScript and HTML libraries in their applications. This makes it attractive for attackers to hide malicious code since GTM does not analyze the code in its storage.

Additionally, when Symantec analyzed the network traffic, they found that the apps were using the same server. This hints that the attack might be the work of a single group or person.

Upon informing Microsoft, the tech giant has removed all these apps from the app store. Consequently, GTM has removed the malicious JavaScript cryptomining library from their server.

Cyware Publisher