Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Nowak

Cryptojacking apps discovered on Microsoft's store

Recommended Posts

Posted · Original PosterOP

oIYqsGH.png

Sauce: https://www.symantec.com/blogs/threat-intelligence/cryptojacking-apps-microsoft-store

 

The Microsoft Store is secure from malware... until it is not. Last month, cybersecurity firm Symantec discovered 8 malicious cryptojacking apps disguised as normal apps on Microsoft's store, all likely from the same person/group.

 

Quote

On January 17, we discovered several potentially unwanted applications (PUAs) on the Microsoft Store that surreptitiously use the victim’s CPU power to mine cryptocurrency. We reported these apps to Microsoft and they subsequently removed them from their store.


The apps—which included those for computer and battery optimization tutorial, internet search, web browsers, and video viewing and download—came from three developers: DigiDream, 1clean, and Findoo. In total, we discovered eight apps from these developers that shared the same risky behavior. After further investigation, we believe that all these apps were likely developed by the same person or group.

 

The apps in question are contained in the image above. According to Symantec, these apps appeared on the "Top Free" charts on the Microsoft store as well as searches, and will run on Windows 10 in S Mode as well.

 

Quote

Users may get introduced to these apps through the top free apps lists on the Microsoft Store or through keyword search. The samples we found run on Windows 10, including Windows 10 S Mode.

 

So, what do these apps do, exactly? Well, they connect to Google Tag Manager, then fetch a Monero-mining script and begin absorbing CPU cycles to make the app developer rich.

 

Quote

As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators. Although these apps appear to provide privacy policies, there is no mention of coin mining on their descriptions on the app store.

 

The apps have their malicious domains hardcoded in the manifest:

 

QJ0R1xH.png

 

And the script that triggers the mining operations is found here:

 

4sVlYPZ.png

 

The apps in question were published between April and December 2018, and while they were removed following Symantec's discovery, it's entirely possible that thousands of users downloaded the apps. This however can't be verified as Microsoft does not publish how many times an app's been downloaded. What leads Symantec to believe they were created by the same person/group is that they share name servers, connect to the same source and also share a Google Tag Manager key.

 

Quote

When each app is launched, the domain is silently visited in the background and triggers GTM with the key GTM-PRFLJPX, which is shared across all eight applications.

 

GTM is a legitimate tool that allows developers to inject JavaScript dynamically into their applications. However, GTM can be abused to conceal malicious or risky behaviors, since the link to the JavaScript stored in GTM is https://www.googletagmanager.com/gtm.js?id={GTM ID} which doesn’t indicate the function of the code invoked.

 

The script was encrypted, but when Symantec did decode it, it was found to be a variant of Coinhive, a Monero-mining script.

 

Quote

By monitoring the network traffic from these apps, we found that they all connect to the following remote location, which is a coin-mining JavaScript library: MIQdk69.png

The apps then access their own GTM and activate the mining script.

 

Crypta.js is an encrypted JavaScript library, as shown in Figure 4.


After we decoded it, we found that it was a version of the Coinhive library. Coinhive is a script that mines Monero. Since the Coinhive service was launched in September 2017, there have been many reports of it being used for cryptojacking without site visitors' knowledge.

 

By the way, do not go to that URL lol

 

Now, as for what causes Symantec to think the apps were from the same developer, it's because the domains hardcoded into these apps have the same origin.

 

SNTbpXB.png

 

The apps have since been removed from the Microsoft Store and Google tags deleted, but the fact that these apps were up on Microsoft's store for months is worrying, to say the least. The rest of the Symantec post goes over basic mitigation tips, but I think that the best course of action would be to try to avoid Microsoft's store if possible, as it still barely offers anything over Win32, and now it's known to host malware as well as general low-quality apps.


Officially LTT's 'coolest' member (yes, that's a pun)

The w is pronounced like v, if you're wondering!

Please quote me so I can see that you replied.

Spoiler

Current rig (Ninetales):

Intel Core i7-8086K @ 4.7GHz, ASUS Strix GTX 1070 (8GB), 16GB Corsair Vengeance LPX DDR4-3000, Windows 10 Pro x64

Laptop (Vulpix): 

Intel Core i7-7700HQ, GeForce GTX 1060 (6GB), 16GB G.Skill Ripjaws DDR4-2400, Windows 10 Pro x64
More detailed specs on my profile.

 

On 4/17/2017 at 5:36 PM, Ryan_Vickers said:

Rawr9 Furry Sex

Link to post
Share on other sites

Yeah... this is unsurprising to say the least.


Having problems with your fresh Windows 10 install? PM Me!
Windows 10- Want To Disable Telemetry, Disable Cortana, Disable Windows Updates? Look at my guide HERE
LTT Beginners Guide  | Community Standards | TN&R Posting Guidelines

Link to post
Share on other sites
1 hour ago, Nowak said:

the best course of action would be to try to avoid Microsoft's store if possible, as it still barely offers anything over Win32, and now it's known to host malware as well as general low-quality apps.

As opposed to the whole internet which we all know has no malware and only the highest quality programs which can be found by doing a vague Google search 

Link to post
Share on other sites

Who uses the Microsoft Store anyway?


S E O Z

Custom Build Log  Arctic Freezer 33 eSports One Review  i5-8600K 5.3GHz CPU-Z Validation  Audio-Technica ATH-M50x Perspective

 

 

Main PC:

CPU: i5-8600K 4.7GHz Cooler: Arctic 33 eSports One Motherboard: Asus Prime Z370-P RAM: 16GB Corsair LPX DDR4-3000 GPU: Asus GTX 1060 3GB Storage: 500GB Crucial P1 + 250GB Samsung 850 EVO SSD PSU: Corsair CX450M Case: NZXT S340

Keyboard: EagleTec KG011 Mouse: Logitech G305 Monitor: LG 29WK600 Sound: Audio-Technica ATH-M50x

 

Brother:

CPU: Ryzen 2200G 3.5GHz Cooler: AMD Wraith Stealth Motherboard: ASRock B450M Pro4 RAM: 8GB Patriot Viper 4 DDR4-3000 GPU: Gigabyte GTX 1050 Ti 4GB Storage: Integral V2 250GB SSD PSU: BQ PP 10 400W Case: DeepCool Frame

Keyboard: Redragon K552 Mouse: Corsair Sabre RGB Monitor: AOC E2270SWHN + Acer KG221Q Sound: Earbuds

 

Asus ZenBook UX410-UA:

CPU: i3-8130U 2.2GHz RAM: 12GB DDR4-2400 GPU: Intel UHD 620 Storage: 256GB SK Hynix M.2 SATA SSD Screen: 14" 1920x1080p IPS

Link to post
Share on other sites
Posted · Original PosterOP
1 minute ago, Arika S said:

As opposed to the whole internet which we all know has no malware and only the highest quality programs which can be found by doing a Google search 

Right :P 


Officially LTT's 'coolest' member (yes, that's a pun)

The w is pronounced like v, if you're wondering!

Please quote me so I can see that you replied.

Spoiler

Current rig (Ninetales):

Intel Core i7-8086K @ 4.7GHz, ASUS Strix GTX 1070 (8GB), 16GB Corsair Vengeance LPX DDR4-3000, Windows 10 Pro x64

Laptop (Vulpix): 

Intel Core i7-7700HQ, GeForce GTX 1060 (6GB), 16GB G.Skill Ripjaws DDR4-2400, Windows 10 Pro x64
More detailed specs on my profile.

 

On 4/17/2017 at 5:36 PM, Ryan_Vickers said:

Rawr9 Furry Sex

Link to post
Share on other sites
35 minutes ago, seoz said:

Who uses the Microsoft Store anyway?

I do,  when you are teaching kids (many with learning difficulties) how to be proficient in computer use without the risks associated with downloading programs of the internet based only on google results, the MS store offers them a much more secure way  to search for new apps.

 

Everyone likes to shit on MS but the reality is the if you have no idea what you are doing and don't understand anything about software then the MS store is a far safer place to search for new software than in the wild.


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Link to post
Share on other sites

Not surprising.  The Microsoft app store has felt to me like it's 90% trash on this level.  Probably just because there's so few real things though... I would bet android and ios have just as many bad apps, there's just more good ones to cover it.  Either way, you have to expect that with some random thing you've never heard of before.  Don't install weird stuff.

Link to post
Share on other sites

Unsurprising to say the least.

These apps will be prevalent no matter where you go. Whether it be the Microsoft Store, Chrome Web Store, App Store or Google Play; it will exist.

On the whole, the Microsoft Store is generally pretty safe (and useless, but that's down to opinion). This type of situation seems to be a rare occurence, so at least there's that.


Some may know me as 1kv. I'm not liable for anything that may happen as a result of following my advice. Take what I say with a grain of salt, some things may not be correct.

Make sure to tag or quote who you are trying to reply to, that way they will see your answer.

Useful links: Community Standards | New PSU Tier List | Posting Guidelines | Why you shouldn't buy an EVGA G3 PSU | Build Guide Megathread | GPU Tier List

 

 

 

 

Link to post
Share on other sites

you can't install antivirus if you have Windows 10 S... so much for the oh our store is secure, you don't need antivirus bla bla bla


DISCLAIMER: ANYTHING I SAY COULD BE WRONG. DO YOUR OWN RESEARCH! 

Have a look at my set up your linux gaming pc from start to finish topic if you want to get started with linux :) 

My laptop: MacBook Pro 13" Mid-2012: I5 3210M | HD4000 | 1TB SSD | 16GB RAM | macOS Mojave

Link to post
Share on other sites

so the S in 10S definitely doesn't stand for Secure  xD


One day I will be able to play Monster Hunter Frontier in French/Italian/English on my PC, it's just a matter of time... 4 5 6 7 8 9 years later: It's finally coming!!!

Phones: iPhone 4S/SE | LG V10 | Lumia 920

Laptops: Macbook Pro 15" (mid-2012) | Compaq Presario V6000

Link to post
Share on other sites
On 2/21/2019 at 6:10 AM, Ryan_Vickers said:

Not surprising.  The Microsoft app store has felt to me like it's 90% trash on this level.  Probably just because there's so few real things though... I would bet android and ios have just as many bad apps, there's just more good ones to cover it.  Either way, you have to expect that with some random thing you've never heard of before.  Don't install weird stuff.

When I was on Windows Phone the store experience felt worse than Google Play at one point. A few examples would be "Twerking Videos" app for 1.99$, "How to talk to girls" app for 3.99$, "Miley Syrus quiz", "I am bored" puzzle game app (not even joking) for a few bucks. Just browsing the place and facepalming was more entertaining than using any of these apps. 


Used -700% storage

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×