On January 17 2019, Symantec discovered several potentially unwanted applications (PUAs) on the Microsoft Store that surreptitiously use the victim’s CPU power to mine cryptocurrency.
Symantec immediately reported these apps to Microsoft and they subsequently removed them from their store.
The apps, which included those for computer and battery optimization tutorial, internet search, web browsers, and video viewing and download, came from three developers: DigiDream, 1clean, and Findoo. In total, we discovered eight apps from these developers that shared the same risky behavior. After further investigation, we believe that all these apps were likely developed by the same person or group.
The apps were published between April and December 2018, with most of them published toward the end of the year. Even though the apps were on the app store for a relatively short period of time, a significant number of users may have downloaded them. Although Symantec can’t get exact download or installation counts, there were almost 1,900 ratings posted for these apps.
However, app ratings can be fraudulently inflated, so it is difficult to know how many users really downloaded these apps.
When each app is launched, the domain is silently visited in the background and triggers GTM with a key, which is shared across all eight applications.
After decoded, Symantec found that it was a version of the Coinhive library. Coinhive is a script that mines Monero. Since the Coinhive service was launched in September 2017, there have been many reports of it being used for cryptojacking without site visitors’ knowledge.
Symantec also investigated the miner activation code on GTM, and the key source code and observed that the miner crawls with a key which serves as the wallet for Coinhive. These apps fall under the category of Progressive Web Applications, which are installed as a Windows 10 app running independently from the browser, in a standalone window.
From the apps’ network traffic, Symantec found the hosting server for each app. Through a Whois query, it was found that all of these servers actually have the same origin. Therefore, these apps were most likely published by the same developers using different names.