While being scanned for vulnerabilities, it was discovered that the Microsoft Store contained at least eight malicious cryptojacking apps. In the store, the apps were placed in the top free apps list and they were portrayed as browsers and video downloaders. The researchers who discovered the apps stated, “As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators. Although these apps appear to provide privacy policies, there is no mention of coin mining on their descriptions on the app store.” GTM does not scan the code within its storage, so attackers like to use it to hide malicious code. The names were listed as the developers of these apps. Those names were DigiDream, 1clean, and Findoo. Interestingly enough, the apps all ran on the same server, so it is likely they were created by the same group or person. When these apps were discovered, Microsoft was informed and immediately removed them from the store while GTM discarded the cryptomining library from their server.
Analyst Notes
Users should regularly update their mobile devices and download apps from reputable app stores. A thorough look at the logo of the app is recommended as well. Identify the permissions that are requested by the app. Personal information that is stored within the device should be backed up regularly. If users believe they have downloaded one of these malicious apps, they should be deleted immediately and reported the respective app store.
