A cybersecurity firm has found that apps in the Microsoft Store have been found to be secretly mining for cryptocurrencies in the background without permission being granted from the user.
Symantec discovered at least 8 offending apps that used users' CPU resources to mine for cryptocurrencies. The apps were published by 3 different developer names: DigiDream, 1 clean, and Findoo. Looking at the source code of the apps, the firm believes that despite the different names, the apps are actually developed by the same person or group of people.
The apps work by secretly loading a webpage which then uses Google Tag Manager (GTM) to inject a crypto-mining script in. All of the apps used the same GTM account ID, GTM-PRFLJPX. GTM is a tool used by web developers, publishers and marketers to add analytics tracking and other such scripts into a website through a friendly interface.
The 8 offending apps are shown below:
All of the apps were Progressive Web Apps (PWAs). After Symantec reported the issue to Microsoft, the company quickly acted to remove the apps from the Microsoft Store, but it is believed that the apps could have affected a large number of people, as they appeared in the Top Free Apps list and had over 1,900 reviews, but exact download figures couldn't be obtained.
In what is a troubling incident for Microsoft, these apps were able to be installed on both standard Windows 10 installations, but also on Windows 10 S, which is supposed to be more secure by only allowing apps from the Microsoft Store to be installed, but clearly in this instance, that extra layer of protection didn't help.
It is likely that Microsoft will now be reviewing how these apps progressed through the review process and looking at how to prevent future incidents that involve cryptojacking.