For the curious, the crypto jacking apps were: FastTube, VPN Browser+, Downloader for YouTube Videos, Clean Master+, Findoo Browser 2019, Findeoo Mobile & Desktop search, Fast-search Lite, and Battery Optimizer. The currency being mined is Monero, which is designed specifically for privacy and security and is often used on the darknet. The apps are able to mine on both regular Windows 10 and Windows 10 S mode, so this is a significant bypass of Microsoft’s security.
Google Tag Manager JavaScript
It’s not clear how much Monero the group mined, but the apps have been live since between April and December 2018. The apps had up to 1,900 ratings, but it’s not clear if they were fraudulent. Those infected with the crypto miners would have noticed a massive spike in CPU utilization. In fact, as the javascript code used doesn’t throttle the apps would be using 100% all the time, which would cause noticeable slowdowns. “As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers,” explained Symantec in its report. “The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators. Although these apps appear to provide privacy policies, there is no mention of coin mining on their descriptions on the app store.” Google has been informed of the GTM Javascript and has removed it, so it’s unlikely we’ll see this technique repeated again. However, it does highlight that just because an app is in the Microsoft Store, it doesn’t mean its entirely safe. Users should always stick to reputable developers and keep and keep an eye on their system resource usage.