STG News
On January 17 2019, Symantec discovered several potentially unwanted applications (PUAs) on the Microsoft Store that surreptitiously use the victim’s CPU power to mine cryptocurrency.
Symantec immediately reported these apps to Microsoft and they subsequently removed them from their store.
The apps, which included those for computer and battery optimization tutorial, internet search, web browsers, and video viewing and download, came from three developers: DigiDream, 1clean, and Findoo. In total, we discovered eight apps from these developers that shared the same risky behavior. After further investigation, we believe that all these apps were likely developed by the same person or group.
Users may get introduced to these apps through the top free apps lists on the Microsoft Store or through keyword search. The samples found run on Windows 10, including Windows 10 S Mode. As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators. Although these apps appear to provide privacy policies, there is no mention of coin mining on their descriptions on the app store.
The apps were published between April and December 2018, with most of them published toward the end of the year. Even though the apps were on the app store for a relatively short period of time, a significant number of users may have downloaded them. Although Symantec can’t get exact download or installation counts, there were almost 1,900 ratings posted for these apps.
However, app ratings can be fraudulently inflated, so it is difficult to know how many users really downloaded these apps.
When each app is launched, the domain is silently visited in the background and triggers GTM with a key, which is shared across all eight applications.
GTM is a legitimate tool that allows developers to inject JavaScript dynamically into their applications. However, GTM can be abused to conceal malicious or risky behaviors. By monitoring the network traffic from these apps, Symantec found that they all connected to the same remote location, which is a coin-mining JavaScript library. The apps then access their own GTM and activate the mining script.
After decoded, Symantec found that it was a version of the Coinhive library. Coinhive is a script that mines Monero. Since the Coinhive service was launched in September 2017, there have been many reports of it being used for cryptojacking without site visitors’ knowledge.
Symantec also investigated the miner activation code on GTM, and the key source code and observed that the miner crawls with a key which serves as the wallet for Coinhive. These apps fall under the category of Progressive Web Applications, which are installed as a Windows 10 app running independently from the browser, in a standalone window.
From the apps’ network traffic, Symantec found the hosting server for each app. Through a Whois query, it was found that all of these servers actually have the same origin. Therefore, these apps were most likely published by the same developers using different names.
Microsoft and Google were immediately informed by Symantec about these apps’ behaviors. Microsoft has removed the apps from their store. The mining JavaScript has also been removed from Google Tag Manager.
[rns_reactions]