Jump to content

Cryptojacking apps discovered on Microsoft's store

Nowak

oIYqsGH.png

Sauce: https://www.symantec.com/blogs/threat-intelligence/cryptojacking-apps-microsoft-store

 

The Microsoft Store is secure from malware... until it is not. Last month, cybersecurity firm Symantec discovered 8 malicious cryptojacking apps disguised as normal apps on Microsoft's store, all likely from the same person/group.

 

Quote

On January 17, we discovered several potentially unwanted applications (PUAs) on the Microsoft Store that surreptitiously use the victim’s CPU power to mine cryptocurrency. We reported these apps to Microsoft and they subsequently removed them from their store.


The apps—which included those for computer and battery optimization tutorial, internet search, web browsers, and video viewing and download—came from three developers: DigiDream, 1clean, and Findoo. In total, we discovered eight apps from these developers that shared the same risky behavior. After further investigation, we believe that all these apps were likely developed by the same person or group.

 

The apps in question are contained in the image above. According to Symantec, these apps appeared on the "Top Free" charts on the Microsoft store as well as searches, and will run on Windows 10 in S Mode as well.

 

Quote

Users may get introduced to these apps through the top free apps lists on the Microsoft Store or through keyword search. The samples we found run on Windows 10, including Windows 10 S Mode.

 

So, what do these apps do, exactly? Well, they connect to Google Tag Manager, then fetch a Monero-mining script and begin absorbing CPU cycles to make the app developer rich.

 

Quote

As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators. Although these apps appear to provide privacy policies, there is no mention of coin mining on their descriptions on the app store.

 

The apps have their malicious domains hardcoded in the manifest:

 

QJ0R1xH.png

 

And the script that triggers the mining operations is found here:

 

4sVlYPZ.png

 

The apps in question were published between April and December 2018, and while they were removed following Symantec's discovery, it's entirely possible that thousands of users downloaded the apps. This however can't be verified as Microsoft does not publish how many times an app's been downloaded. What leads Symantec to believe they were created by the same person/group is that they share name servers, connect to the same source and also share a Google Tag Manager key.

 

Quote

When each app is launched, the domain is silently visited in the background and triggers GTM with the key GTM-PRFLJPX, which is shared across all eight applications.

 

GTM is a legitimate tool that allows developers to inject JavaScript dynamically into their applications. However, GTM can be abused to conceal malicious or risky behaviors, since the link to the JavaScript stored in GTM is https://www.googletagmanager.com/gtm.js?id={GTM ID} which doesn’t indicate the function of the code invoked.

 

The script was encrypted, but when Symantec did decode it, it was found to be a variant of Coinhive, a Monero-mining script.

 

Quote

By monitoring the network traffic from these apps, we found that they all connect to the following remote location, which is a coin-mining JavaScript library: MIQdk69.png

The apps then access their own GTM and activate the mining script.

 

Crypta.js is an encrypted JavaScript library, as shown in Figure 4.


After we decoded it, we found that it was a version of the Coinhive library. Coinhive is a script that mines Monero. Since the Coinhive service was launched in September 2017, there have been many reports of it being used for cryptojacking without site visitors' knowledge.

 

By the way, do not go to that URL lol

 

Now, as for what causes Symantec to think the apps were from the same developer, it's because the domains hardcoded into these apps have the same origin.

 

SNTbpXB.png

 

The apps have since been removed from the Microsoft Store and Google tags deleted, but the fact that these apps were up on Microsoft's store for months is worrying, to say the least. The rest of the Symantec post goes over basic mitigation tips, but I think that the best course of action would be to try to avoid Microsoft's store if possible, as it still barely offers anything over Win32, and now it's known to host malware as well as general low-quality apps.

Link to comment
Share on other sites

Link to post
Share on other sites

Yeah... this is unsurprising to say the least.

Having problems with your fresh Windows 10 install? PM Me!
Windows 10- Want To Disable Telemetry, Disable Cortana, Disable Windows Updates? Look at my guide HERE
LTT Beginners Guide  | Community Standards | TN&R Posting Guidelines

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Nowak said:

the best course of action would be to try to avoid Microsoft's store if possible, as it still barely offers anything over Win32, and now it's known to host malware as well as general low-quality apps.

As opposed to the whole internet which we all know has no malware and only the highest quality programs which can be found by doing a vague Google search 

🌲🌲🌲

 

 

 

◒ ◒ 

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, Arika S said:

As opposed to the whole internet which we all know has no malware and only the highest quality programs which can be found by doing a Google search 

Right :P 

Link to comment
Share on other sites

Link to post
Share on other sites

35 minutes ago, seoz said:

Who uses the Microsoft Store anyway?

I do,  when you are teaching kids (many with learning difficulties) how to be proficient in computer use without the risks associated with downloading programs of the internet based only on google results, the MS store offers them a much more secure way  to search for new apps.

 

Everyone likes to shit on MS but the reality is the if you have no idea what you are doing and don't understand anything about software then the MS store is a far safer place to search for new software than in the wild.

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

I only use the Microsoft store for Microsoft apps.

Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 9 5900X          Case: Antec P8     PSU: Corsair RM850x                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition

Link to comment
Share on other sites

Link to post
Share on other sites

Not surprising.  The Microsoft app store has felt to me like it's 90% trash on this level.  Probably just because there's so few real things though... I would bet android and ios have just as many bad apps, there's just more good ones to cover it.  Either way, you have to expect that with some random thing you've never heard of before.  Don't install weird stuff.

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites

Link to post
Share on other sites

what is this "microsoft app store" you speak of?

Insanity is not the absence of sanity, but the willingness to ignore it for a purpose. Chaos is the result of this choice. I relish in both.

Link to comment
Share on other sites

Link to post
Share on other sites

Unsurprising to say the least.

These apps will be prevalent no matter where you go. Whether it be the Microsoft Store, Chrome Web Store, App Store or Google Play; it will exist.

On the whole, the Microsoft Store is generally pretty safe (and useless, but that's down to opinion). This type of situation seems to be a rare occurence, so at least there's that.

Link to comment
Share on other sites

Link to post
Share on other sites

so the S in 10S definitely doesn't stand for Secure  xD

One day I will be able to play Monster Hunter Frontier in French/Italian/English on my PC, it's just a matter of time... 4 5 6 7 8 9 years later: It's finally coming!!!

Phones: iPhone 4S/SE | LG V10 | Lumia 920

Laptops: Macbook Pro 15" (mid-2012) | Compaq Presario V6000

 

<>EVs are bad, they kill the planet and remove freedoms too some/<>

Link to comment
Share on other sites

Link to post
Share on other sites

On 2/21/2019 at 6:10 AM, Ryan_Vickers said:

Not surprising.  The Microsoft app store has felt to me like it's 90% trash on this level.  Probably just because there's so few real things though... I would bet android and ios have just as many bad apps, there's just more good ones to cover it.  Either way, you have to expect that with some random thing you've never heard of before.  Don't install weird stuff.

When I was on Windows Phone the store experience felt worse than Google Play at one point. A few examples would be "Twerking Videos" app for 1.99$, "How to talk to girls" app for 3.99$, "Miley Syrus quiz", "I am bored" puzzle game app (not even joking) for a few bucks. Just browsing the place and facepalming was more entertaining than using any of these apps. 

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×