The Microsoft Store is perceived by many to be one of the most secure digital storefronts due to the sandbox nature of the apps available there. In fact, Microsoft even launched Windows 10 S back in 2017 which allowed users to only download apps from the Microsoft Store in an effort to boost security.

However, it appears that the security of the Store has been somewhat compromised, with a new report claiming that the Microsoft Store hosted several apps - potentially downloaded by thousands - that illegally mined cryptocurrencies in the background.

In a blog post, U.S.-based cybersecurity firm Symantec has meticulously detailed how it found at least eights free apps - now removed by Microsoft - in the Store that utilized the CPU's resources to mine cryptocurrencies without the permission of the user. These apps operated in the background, and affected people who use Windows 10 in S Mode as well.

Although these apps were created under three different developer names, Symantec's inspection of their respective codes have led them to believe that they may be created by the same person or group of people. The company says that:

As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators. Although these apps appear to provide privacy policies, there is no mention of coin mining on their descriptions on the app store. [...] When each app is launched, the domain is silently visited in the background and triggers GTM with the key GTM-PRFLJPX, which is shared across all eight applications. GTM is a legitimate tool that allows developers to inject JavaScript dynamically into their applications. However, GTM can be abused to conceal malicious or risky behaviors, since the link to the JavaScript stored in GTM is https://www.googletagmanager.com/gtm.js?id={GTM ID} which doesn’t indicate the function of the code invoked.

Symantec claims that all apps connected to the same JavaScript library, Crypta.js, and used their GTM to activate it.

The eight applications were published by three accounts under the names "DigiDream", "1clean", and "Findoo". You can view the applications themselves in the screenshot below.

Interestingly, all the malicious apps in question were Progressive Web Apps (PWAs), which started hitting the Microsoft Store in April 2018. The report states that these mining applications launched in the Store in the April-December 2018 timeframe, and collectively boasted over 1,900 reviews. However, it is currently unclear how many of the reviews and downloads are legitimate, since these figures can be artificially inflated to improve visibility in the Microsoft Store.

While Microsoft promptly removed the harmful applications when Symantec reported its findings to the company on January 17, the event does raise some questions and concerns about apps present in the Microsoft Store. It's clear that the Redmond giant will be scrutinizing its review process to see how these malicious applications escaped through its filters. Symantec, on the other hand, is now encouraging users to download its security apps, regularly update their software, and closely monitor their device's resource usage to mitigate security risks like these.

Source and image: Symantec via Softpedia News