by Martin Brinkmann on February 18, 2019 in Windows – 10 comments
Symantec discovered eight application in the official Microsoft Store that ran cryptomining operations without informing the user about it in the background when installed.
One of the main arguments for integrating the Microsoft Store in Windows 8 and Windows 10, unveiled in 2011 by Microsoft, was that it protected users from installing malicious or problematic applications on their devices because of a review process and other safeguards.
While it is certainly the case that Windows Store offers a safer environment, it is far from the safe haven that Microsoft would like it to be.
We talked about deceiving apps, copycat apps, and deceptive apps in the past, and covered Microsoft’s attempts to improve quality by pruning low quality applications.
The introduction of PWA support appears to have opened the door for another type of unwanted software: cryptomining.
Symantec discovered eight applications in Microsoft Store that started cryptomining operations as soon as they were installed and launched by users from the Microsoft Store.
The applications were published by three developers but there is strong evidence that a single person or group is responsible for all of them. Evidence comes from the use of the same mining key and Google Tag Manager key, and that all applications used the same origin (but different domains).
The apps were fairly popular, judging from the 1900 ratings that they received between publication in April 2018 and December 2018. It is certainly possible that part of the ratings came from fake accounts or services that rate apps in return for payment.
Microsoft does not reveal installation counts for applications; it is unclear if the applications landed on thousands, hundred of thousands, or even more devices running Windows 10.
Windows 10 users were exposed to these applications in various ways: when they searched for apps in the Store, browsed the free listings, or were directed to the Store from websites that linked to these applications.
The applications fetched a JavaScript mining library using Google Tag Manager when they were launched for the first time after download and installation. All applications included privacy policies but mining operations were not mentioned in any of them or the descriptions.
The applications used the majority of the computer’s CPU cycles according to Symantec for mining operations.
Symantec informed Microsoft about the applications, and Microsoft has removed them in the meantime from the Store.
Closing Words
While it is certainly arguable that cryptocurrency mining is less harmful than a device’s infection with malicious software or ransomware, it is clear that Microsoft Store users need to be careful when it comes to the installation of apps from the Store.
I recommended that users verify app developers before they install apps in 2013. Microsoft’s Store is not the only Store that hosted cryptomining applications or extensions. The particular form of unwanted software was found in extension stores, e.g. in Mozilla’s or Google’s for the Firefox or Chrome browser, and on Google Play previously already.
Now You: do you use Store applications?