Eight applications designed to mine for crypto-currency without users’ knowledge made their way into the Microsoft Store, Symantec has discovered.
The apps surreptitiously use the victim’s CPU power to mine for Monero and landed in the application marketplace as computer and battery optimization tutorial, internet search, web browsers, and video viewing and download programs. They target both Windows 10 and Windows 10 S.
Although they were published in the Microsoft Store under three different developer accounts, namely DigiDream, 1clean, and Findoo, the programs were likely built by the same person or group, Symantec says.
After being downloaded and executed, the apps would fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The script starts using the majority of the computer’s CPU cycles to mine Monero for the perpetrators.
The offending applications were published in the application store between April and December 2018, most toward the end of the year. Despite being available for a relatively short period of time, however, the apps appear to have been downloaded by a significant number of users.
“Although we can’t get exact download or installation counts, we can see that there were almost 1,900 ratings posted for these apps. However, app ratings can be fraudulently inflated, so it is difficult to know how many users really downloaded these apps,” Symantec notes.
When launched, the apps silently visit a domain in the background and trigger GTM, a legitimate tool for developers to inject JavaScript dynamically into their applications.
All eight apps were found to share the same key GTM-PRFLJPX and to connect to the same remote location, a coin-mining JavaScript library. The script is a version of the Coinhive library, a script designed to mine for Monero.
“These apps fall under the category of Progressive Web Applications, which are installed as a Windows 10 app running independently from the browser, in a standalone (WWAHost.exe process) window,” Symantec reports.
After finding the servers for each of these applications, the security firm discovered that all servers have the same origin, suggesting that a single developer might be behind all of them.
Both Microsoft and Google were informed on the malicious behavior, which resulted the removal of the apps from the Microsoft Store and of the mining script from Google Tag Manager.
Related: Cryptocurrency Theft Tops $1 Billion in Past Six Months
Related: Downsides and Dangers of Cryptominers
Related: Is Cryptojacking Replacing Ransomware as the Next Big Threat?
Ionut Arghire is an international correspondent for SecurityWeek.
Tags: 
