Eight applications designed to mine for crypto-currency without users’ knowledge made their way into the Microsoft Store, Symantec has discovered.
The apps surreptitiously use the victim’s CPU power to mine for Monero and landed in the application marketplace as computer and battery optimization tutorial, internet search, web browsers, and video viewing and download programs. They target both Windows 10 and Windows 10 S.
Although they were published in the Microsoft Store under three different developer accounts, namely DigiDream, 1clean, and Findoo, the programs were likely built by the same person or group, Symantec says.
The offending applications were published in the application store between April and December 2018, most toward the end of the year. Despite being available for a relatively short period of time, however, the apps appear to have been downloaded by a significant number of users.
“Although we can’t get exact download or installation counts, we can see that there were almost 1,900 ratings posted for these apps. However, app ratings can be fraudulently inflated, so it is difficult to know how many users really downloaded these apps,” Symantec notes.
“These apps fall under the category of Progressive Web Applications, which are installed as a Windows 10 app running independently from the browser, in a standalone (WWAHost.exe process) window,” Symantec reports.
After finding the servers for each of these applications, the security firm discovered that all servers have the same origin, suggesting that a single developer might be behind all of them.
Both Microsoft and Google were informed on the malicious behavior, which resulted the removal of the apps from the Microsoft Store and of the mining script from Google Tag Manager.