United States-based software corporation Microsoft has removed eight Windows 10 applications from its official app store after cybersecurity firm Symantec identified the presence of surreptitious Monero (XMR) coin mining code. The news was reported by Symantec on Feb. 15.
Stealth crypto mining — also know as cryptojacking – works by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. According to Symantec, the firm first detected malicious XMR mining code within eight apps — issued by three developers — on Jan. 17.
After Symantec alerted Microsoft, the corporation is reported to have removed all eight products — although an exact date for their delisting is not provided.
The applications — which were marketed as part of the top free app listings on the Microsoft Store — reportedly included “a computer and battery optimization tutorial, internet search, web browsers, and video viewing and download,” and were issued by developers “DigiDream, 1clean and Findoo.” Upon closer investigation, Symantec has proposed that all eight apps have in fact likely been developed by the same person or group, rather than by three distinct entities.
All the detected samples reportedly run on Windows 10, including Windows 10 S Mode, and were variously published between April and December 2018. They reportedly work by triggering Google Tag Manager in their domain servers to fetch a coin-mining JavaScript library. Once the mining script is activated, the target’s computer CPU cycle is hijacked to mine XMR for the app developers.
Symantec representatives told technology news website ZDNet that this is the first time cryptojacking cases have been found on the Microsoft store. The apps’ stealth success reportedly stems from the fact they run independently from the browser in a standalone (WWAHost.exe process) window. Moreover, they have “no throttling which means [they can use] up 100% of user's CPU time.”
As Synmantec notes, while the suspect apps all provided privacy policies, they unanimously omitted any mention of cryptocurrency mining. The firm’s analysis identified the strain of mining malware enclosed in the apps as being the web browser-based Coinhive XMR mining code.
Symantec says it has not been able to determine precise download or installation statistics, but observes that the apps received almost 1,900 ratings — whether or not these accurately reflect real users, or fraudulent bots, is difficult to ascertain.
Aside from Microsoft’s action to delist the apps, the mining JavaScript has also reportedly been removed from Google Tag Manager, following Symantec’s alert.
As reported, recent research from cyber security research firm Kaspersky Lab has revealed that cryptojacking overtook ransomware as the biggest cybersecurity threat — particularly in the Middle East, Turkey and Africa.