Crypto miners penetrated Microsoft Store

It turns out that even in the Microsoft Store directory you can publish a malicious program, and no one will notice. This is very convenient for intruders, because most users see directories like Microsoft Store, App Store and Google Play as a safe haven where they are protected from viruses (of course, this is not so). Accordingly, thousands of users carelessly download the application, not knowing anything bad. Unfortunately for fraudsters, now this shop is partially covered.

On January 17, 2019, Symantec found eight applications with built-in crypto-engineers in the Microsoft Store. All applications belong to the PWA (Progressive Web Applications) class, they are installed in Windows 10 and work in a separate window (WWAHost.exe), which is not similar to a browser, but in fact they are browser applications.

Such programs do nothing wrong with the victim's computer. Just quietly and peacefully mine Monero on the CPU, not too increasing the load on the processor.

Symantec immediately reported the find to Microsoft, and they were soon removed from the catalog. February 15 report published in the public domain .

The list of applications covers several thematic categories: here are tutorials on optimizing a computer and a battery (there is some irony here), an application for searching the Internet, web browsers, and programs for downloading videos from YouTube.

Although the developers are listed as three companies (DigiDream, 1clean and Findoo), but Symantec experts believe that they are actually created by one person or group.

On the one hand, if the developer had written about mining in small letters in the user agreement, then with a 99% probability no one would have noticed this phrase, but his actions would be completely legal. On the other hand, in any case, mining probably violates the rules for Microsoft Store applications, so they simply would not be allowed into the catalog.

These annexes were posted between April and December 2018, most of which were published at the end of the year.

It is not known how many users downloaded and installed programs. But they were easy to find in the tops of free apps in the tops of the Microsoft Store. The company Symantec said that in mid-January for these applications published 1900 estimates, that is, the number of users in the thousands, and maybe tens of thousands. On the other hand, ratings can be stranded, so it is not possible to make an accurate assessment.

Once the applications are loaded and run, they immediately download the mining JavaScript library from the developer’s server. How it is done: the official domains of each program are registered in the manifest file. For example, the domain Fast-search.tk for the Fast-search Lite application in the screenshot below.



After installation, the application accesses this domain and activates the Google Tag Manager (GTM) script, and all eight applications do this with the same GTM-PRFLJPX key. Google Tag Manager is a common marketer tool. The link looks like https://www.googletagmanager.com/gtm.js?id={GTM ID} , which theoretically allows you to access an arbitrary function, which the attackers used.

Under the guise of GTM runs the following script:



By listening to network traffic, Symantec experts noticed that this script is accessing a remote server and trying to download the http://statdynamic.com/lib/crypta.js library.

Well, then it is clear. Crypta.js is an encrypted mining library that uses the CPU and mine the popular Monero coin. Why popular? Because it is specially optimized for mining on the central processor, so there is still a little profitable mining there.

In reality, Crypta.js is a version of the well-known library Coinhive - legal service, which opened in September 2017 and is still working, allowing monetize the user base to program developers and website owners.

Symantec deciphered Crypta.js and found a Coinhive account where money is transferred from mining: da8c1ffb984d0c24acc5f8b966d6f218fc3ca6bda661 . Maybe sometime in the future, in such situations, the attacker’s account will be arrested and the coins from him distributed among all the victims.