A batch of eight potentially unwanted applications (PUAs) were found on the Microsoft Store dropping malicious Monero (XMR) Coinhive cryptomining scripts, delivered with the help of Google’s legitimate Google Tag Manager (GTM) library.
Microsoft removed the Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search apps that were developed by three developers (i.e.., DigiDream, 1clean, and Findoofrom) after Symantec’s report, the company who discovered the eight apps in Redmond’s store.
As Symantec’s Yuanjing Guo and Tommy Dong stated, the risky apps were found on “on Windows 10, including Windows 10 S Mode” and they were added to the Microsoft Store between April and December 2018, most of them landing in the store at the end of the last year.
While there is no way to know the exact number of installs for each app since Microsoft doesn’t share that info on the Microsoft Store entries as Google’s Play Store does, it is quite obvious that they’ve either been installed on numerous devices or had a large number of fake ratings given that “there were almost 1,900 ratings posted.”
The Symantec researchers explain that:
Seeing that cryptomining scripts will most of the time run on the compromised machines without any sort of resource usage controls, it is very possible that the Windows systems where these particular apps landed were experiencing serious performance issues because of continuously using all CPU resources to mine Monero for their masters.
While cryptocurrency miners are not malicious tools on their own, they are seen as malware when used by threat actors to secretly mine for crypto coins in the background stealing processing resources from unaware victims’ devices.
As part of cryptojacking malware campaigns, criminals will collect all the cryptocurrency surreptitiously mined using compromised systems and send it crypto wallets which they control.
Cryptojacking on the rise
According to a report by Check Point Research, cryptominers infected roughly ten times more companies during 2018 than ransomware did, overtaking previous apex predator on the malware scene.
However, only one in five security professionals were able to detect that their company’s systems have been affected by a malware attack while the cryptocurrency mining scripts were silently running in the background.
The trend is even more noticeable when taking into consideration that the apps Microsoft just removed from the Microsoft Store are the first of their kind targeting this platform.
Linux users are also actively targeted by cryptojacking campaigns, with a new Backdoor Trojan they dubbed SpeakUp currently targeting servers running six different Linux distributions and Apple’s macOS, and a new coinminer malware strain using the XMR-Stak Cryptonight cryptocurrency miner having been detected this month.
Palo Alto Networks’ researchers previously stated during the summer of 2018 that criminal groups have mined an approximate total of 798,613.33 Monero coins (XMR) using malware on infected devices, earning them over $108 million in US currency, which represents around 5% of all the Monero currently in circulation.
Researchers from the Universidad Carlos III de Madrid and the King’s College London reached a similar conclusion confirming Palo Alto Networks’ results at the start of 2019, concluding that criminals have mined (at least) 4.3% of the total number of Monero coins.