Pierluigi Paganini February 15, 2019

Symantec discovered eight potentially unwanted applications (PUAs) into the Microsoft Store that were dropping cryptojacking Coinhive miners.

Security experts at Symantec have discovered eight potentially unwanted applications (PUAs) into the Microsoft Store that were dropping cryptojacking Coinhive miners.

The removed apps are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search.

The malicious Monero (XMR) Coinhive cryptomining scripts were delivered leveraging the Google’s legitimate Google Tag Manager (GTM) library.

The GTM tag management system allows developers to inject JavaScript and HTML content within their apps for tracking and analytics purposes.

“Users may get introduced to these apps through the top free apps lists on the Microsoft Store or through keyword search. The samples we found run on Windows 10, including Windows 10 S Mode.” reads the analysis published by Symantec.

“As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators.”

The malicious apps were added to the Microsoft Store between April and December 2018.

Unlike Google Play, Microsoft Store doesn’t share information on the number of downloads installed on numerous devices, but experts pointed out that the apps have a large number of fake ratings, there were almost 1,900 ratings posted for these applications.

Once one of the apps is downloaded and launched, it fetches a cryptojacking JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. Then the mining script is activated and starts abusing devices resources to mine Monero cryptocurrency.

After snooping on the network traffic between the apps and their command-and-control servers, Symantec was able to find out that they were using a variant of the JavaScript-based Coinhive miner script, a well-known tool used by threat actors as part of cryptojacking campaigns since September 2017 when it was launched.

The analysis of the network traffic associated with the apps allowed the researchers to find the hosting server for each app. All the servers have the same origin, the apps were likely published by the same developers under different names.

Symantec provided the following recommendations to mitigate the threat:

• Keep your software up to date.
• Do not download apps from unfamiliar sites.
• Only install apps from trusted sources.
• Pay close attention to the permissions requested by apps.
• Pay close attention to CPU and memory usage of your computer or device.
• Install a suitable security app, such as Norton or Symantec Endpoint Protection, to protect your device and data.
• Make frequent backups of important data.

Pierluigi Paganini

(SecurityAffairs – cryptojacking Coinhive miners, malware)

[adrotate banner=”5″] [adrotate banner=”13″]