In January, security researchers from Symantec found cryptomining applications in the Microsoft App Store, but they were published in the store between April and December 2018. It’s not clear how many users downloaded or installed the apps, but they had almost 1,900 user ratings.
The rogue applications posed as browsers, search engines, YouTube video downloaders, VPN and computer optimization tutorials and were uploaded by three developer accounts called DigiDream, 1clean and Findoo. However, the Symantec researchers believe the apps were created by a single person or the same group of attackers since they all share the same origin domain on the backend.
The programs were published as Progressive Web Applications (PWA), a type of app that works as a web page but also has access to the computer hardware through APIs, can send push notifications, use offline storage and behave a lot like a native program. Under Windows 10, these applications run independently from the browser, under a standalone process called WWAHost.exe.
The script loaded by the apps is a variant of Coinhive, a Web-based cryptocurrency miner that has been used in the past by attackers to infect websites and hijack visitors’ CPU resources.
This incident shows that cryptocurrency mining remains of high interest to cybercriminals. Whether it’s to hijack people’s personal computers or servers in datacenters, they are always on the lookout for new ways to deploy coinminers.
Over the past two years, attackers have launched coinmining attacks through Android apps hosted on Google Play, through browser extensions for Google Chrome and Mozilla Firefox, through regular desktop applications, through compromised websites and now, through Windows 10 PWA. There are also a variety of botnets that infect Linux and Windows servers with cryptocurrency mining programs by exploiting vulnerabilities in popular Web applications and platforms.
Users are often advised to only download applications from trusted sources, whether on their mobile devices or computers. However, with rogue apps frequently finding their way into official app stores, relying only on that advice alone for protection is no longer an option.