Several Cryptojacking Apps Found on Microsoft Store

Cryptojacking Apps

Among the latest discoveries of the Symantec are the eight apps on the Microsoft that have been really found to have the capacity to mine the Monero even without the user’s authority or knowledge! The potentially unwanted applications commonly known as the PUAS was discovered on the 17th date of January. These potentially unwanted applications are actually contained in the store that belongs to microsoft and they actually utilize the users CPU power to mine the Cryptocurrency. After being reported to Microsoft, it was actually scrapped from the store.

The applications actually included those which can be used by the computer and also the battery optimization tutorial, the web browsers and the internet search. Others include video viewing and download apps. They are believed to originate from three developers. The developers are the DigiDream, 1Clean and also the Findoo. The 8 applications from these developers were actually found out to contain some characteristics that may really poss risk. Further investigations showed that there are chances that it was developed by the same manufacturer or group

What really makes them popular is the fact that they appear in the top list of the Microsoft store as the free apps. It can also be found through the keyword search.The applications can actually run on the windows 10 such as the windows 10 S mode.

This application will really begin their process when they have been downloaded after which it is launched.They actually fetch a JavaScript that can mine coin actually initiating the application called the GTM in the servers contained in their domain. This process then gets initiated and the mining script starts using the computer’s cycles in the CPU to mine coins for the operators. What really makes these applications questionable is the fact that they appear to have well-defined privacy policies but they actually fail to include the coin mining process on their descriptions.

The records have it that the apps were actually published on 2018 between the months of April and December meaning that it has received a lot of views. These apps have been in the apps store meaning that majority may have downloaded them. The reviews also as per December 2018 showed that it had over 1900 ratings but this really cannot be used to find the right number of the download frequency since it has actually be proven to exist criteria where the ratings are fraudulently inflated. The exact number of users who may have downloaded the app may really not be accurately established.

Mining script

The manifest file where the apps’ domains are hard coded is shown below;

When each app is actually launched, there is really an unauthorized silent visit of the domain where it really triggers the GTM. the GTM is triggered using the GTM keys PRFLJPX which is then distributed in the 8 applications.actualy GTM is really a legitimate tool that makes it possible for the developers to have the Javascript dynamically injected into their applications. Notably, this GTM app has been sometimes abused by the users so as to hide the behaviors that are really malicious and risky! For instance, the link to the JavaScript that’s often stored in the GTM actually doesn’t indicate the function of the code that’s is triggered when its launched. The link is ({GTM ID} )

After effective monitoring of all the traffic that is generated from these applications, it was really established to connect to one location that is actually known for its coin mining activities. This remote location is;

When they have launched the apps it will then access their own GTM and, therefore, activate the mining script. When the crypta.js which is actually an encrypted library was decoded it was actually established to be a version of a coinhive library that actually mines the monero. Many reports have really shown that the coin has have been fraudulently used by tas a crypto jacking agent even without the knowledge of the visitors since its launching date on September 2107!

The miners’ activation source code was also investigated and it was actually established that the miner was actually working with the key da8c1ffb984d0c24acc5f8b966d6f218fc3ca6bda661 which is actually a defined wallet for the coin hive.

The apps are actually categorized under the progressive web applications which are often installed as the part of the Windows 10 apps that will actually run independently from the browser in a window that’s really a standalone type.

Shared domain name servers the master servers for each an every app was actually found from the apps’ network traffic. It was actually established through a “who is” a query that all these servers do really have a likely common origin. This really proved the allegation that the apps might have been really having the same origin or they were actually born from the same manufacturer. They may have really been published by the same manufacturer who may have only varied the names!

After the reports were made to the Microsoft and also the google about the misbehavior of his apps, the Microsoft has really taken action and they have removed the applications from the store. The action has also been taken towards the mining JavaScript and has been actually removed from the google tag manager.


These are the precautions you should really take to stay safe from the online threats;

  •  Start by updating your software
  • Always cease from downloading the apps from the unrecognized sources
  • Ensure that the apps that you install are from the trusted suppliers
  • Be keen on the permissions that your app will always request you
  • Always be concerned with the CPU and the memory of your device
  • Ensure that a safety app is installed. You can really pick the from the link; or even the Symantec endpoint protection for the best security of your device.
  • Ensure you make the frequent backups of the data that you really think is important

For security

Ensure that you choose the Symantec and also the /setup since their products and the apps are really the best following their best abilities to detect the Javascript cryptocurrency miner and the apps that may be unsuitable such as the

  • PUA downloader
  • Miner .jswebcoin