In January, security researchers from Symantec found cryptomining
applications in the Microsoft App Store, but they were published
in the store between April and December 2018. It’s not clear how
many users downloaded or installed the apps, but they had almost
1,900 user ratings.
The rogue applications posed as browsers, search engines, YouTube
video downloaders, VPN and computer optimization tutorials and
were uploaded by three developer accounts called DigiDream,
1clean and Findoo. However, the Symantec researchers believe the
apps were created by a single person or the same group of
attackers since they all share the same origin domain on the
backend.
“As soon as the apps are downloaded and launched, they fetch a
coin-mining JavaScript library by triggering Google Tag Manager
(GTM) in their domain servers,” the Symantec researchers said in
a report Friday. “The mining script then gets activated and
begins using the majority of the computer’s CPU cycles to mine
Monero for the operators. Although these apps appear to provide
privacy policies, there is no mention of coin mining on their
descriptions on the app store.”
The programs were published as Progressive Web Applications
(PWA), a type of app that works as a web page but also has access
to the computer hardware through APIs, can send push
notifications, use offline storage and behave a lot like a native
program. Under Windows 10, these applications run independently
from the browser, under a standalone process called WWAHost.exe.
When executed, the applications call GTM, a legitimate service
that allows developers to dynamically inject JavaScript into
their applications. All the applications use the same unique GTM
key, which further suggests they were created by the same
developer.
The script loaded by the apps is a variant of Coinhive, a
Web-based cryptocurrency miner that has been used in the past by
attackers to infect websites and hijack visitors’ CPU resources.
“We have informed Microsoft and Google about these apps’
behaviors,” the Symantec researchers said. “Microsoft has removed
the apps from their store. The mining JavaScript has also been
removed from Google Tag Manager.”
This incident shows that cryptocurrency mining remains of high
interest to cybercriminals. Whether it’s to hijack people’s
personal computers or servers in datacenters, they are always on
the lookout for new ways to deploy coinminers.
Over the past two years, attackers have launched coinmining
attacks through Android apps hosted on Google Play, through
browser extensions for Google Chrome and Mozilla Firefox, through
regular desktop applications, through compromised websites and
now, through Windows 10 PWA. There are also a variety of botnets
that infect Linux and Windows servers with cryptocurrency mining
programs by exploiting vulnerabilities in popular Web
applications and platforms.
Users are often advised to only download applications from
trusted sources, whether on their mobile devices or computers.
However, with rogue apps frequently finding their way into
official app stores, relying only on that advice alone for
protection is no longer an option.