Microsoft's Store is not a safe haven
Symantec discovered eight application in the official Microsoft Store that ran cryptomining operations without informing the user about it in the background when installed.
One of the main arguments for integrating the Microsoft Store in Windows 8 and Windows 10, unveiled in 2011 by Microsoft, was that it protected users from installing malicious or problematic applications on their devices because of a review process and other safeguards.
While it is certainly the case that Windows Store offers a safer environment, it is far from the safe haven that Microsoft would like it to be.
We talked about deceiving apps, copycat apps, and deceptive apps in the past, and covered Microsoft's attempts to improve quality by pruning low quality applications.
The introduction of PWA support appears to have opened the door for another type of unwanted software: cryptomining.
Symantec discovered eight applications in Microsoft Store that started cryptomining operations as soon as they were installed and launched by users from the Microsoft Store.
The applications were published by three developers but there is strong evidence that a single person or group is responsible for all of them. Evidence comes from the use of the same mining key and Google Tag Manager key, and that all applications used the same origin (but different domains).
The apps were fairly popular, judging from the 1900 ratings that they received between publication in April 2018 and December 2018. It is certainly possible that part of the ratings came from fake accounts or services that rate apps in return for payment.
Microsoft does not reveal installation counts for applications; it is unclear if the applications landed on thousands, hundred of thousands, or even more devices running Windows 10.
Windows 10 users were exposed to these applications in various ways: when they searched for apps in the Store, browsed the free listings, or were directed to the Store from websites that linked to these applications.
The applications fetched a JavaScript mining library using Google Tag Manager when they were launched for the first time after download and installation. All applications included privacy policies but mining operations were not mentioned in any of them or the descriptions.
The applications used the majority of the computer's CPU cycles according to Symantec for mining operations.
Symantec informed Microsoft about the applications, and Microsoft has removed them in the meantime from the Store.
Closing Words
While it is certainly arguable that cryptocurrency mining is less harmful than a device's infection with malicious software or ransomware, it is clear that Microsoft Store users need to be careful when it comes to the installation of apps from the Store.
I recommended that users verify app developers before they install apps in 2013. Microsoft's Store is not the only Store that hosted cryptomining applications or extensions. The particular form of unwanted software was found in extension stores, e.g. in Mozilla's or Google's for the Firefox or Chrome browser, and on Google Play previously already.
Now You: do you use Store applications?
The main point of centralized application stores is supposed to be that applications are verified as safe by the store. This is how it works on linux. Of course evil entities like Google with their Play store and now Microsoft just saw that system as an opportunity to grab more control, censor, spy, and take their huge parasitical share on application payments, while not even doing the minimum work of removing malware. Worse than that, they have incentive to keep malware in store as long as they profit from it too.
Mozilla no longer cares about what they host so I trust no app stores on Windows any more. This is not the direction civilization was supposed to take! Thank heaven for Linux and BSD. (Not actually heaven but you get the idea.) ;-)
>The main point of centralized application stores is supposed to be that applications are verified as >safe by the store. This is how it works on linux.
Not exactly. Snap packages (https://snapcraft.io/) and PPA’s are proven to be vulnerable to uploads of malicious software. They may not hang around as long before being discovered but the risk is still there.
The ‘official’ repositories maintained by the disto are about as safe as one can get. Adding additional repositories and/or PPA’s is risky and should be very carefully considered.
As is always the case, it boils down to ‘security vs convenience’.
Who even uses the Microsoft store? xD
It’s one of these “forced” things like Google+ and Microsoft Edge that people never got into.
True, however I see a future where Microsoft gives their store the Android treatment : first scaring ordinary users away from installing anything outside of it with warning messages “for their security”, then like in Android forcing them to go dig in the options to untick something in order to even be able to install something from another source… Sky is the limit.
None of them are safe including Apple’s. In a way Apple are the worst as protecting users is their excuse for the walled garden yet have been shown not to. I’ve not been on the MS store for quite a while but it used to full of apps that implied they were some other popular app. But it’s got the point where the number of people/companies I totally trust is very, very low these days.
The sad bit is you can’t even trust the OS you run things on (privacy not malware, although that’s a blurry line) with the exception of linux which isn’t a viable option for many.
But they are all a nice money maker for them. I presume MS get the same sort of cut.
“But they are all a nice money maker for them. I presume MS get the same sort of cut.”
Initially, Microsoft took a 30% cut of app sales until it reached US$25,000 in revenue, after which the cut dropped to 20%. Effective January 1, 2015, the reduction in cut at $25,000 was removed, and Microsoft takes a 30% cut of all app purchases, regardless of overall sales. Third-party transactions are also allowed, of which Microsoft does not take a cut. Individual developers are able to register for $19 USD and companies for $99 USD.
https://en.wikipedia.org/wiki/Microsoft_Store_(digital)
Exactly ZERO people are surprised.
Nothing is safe when you’re stupid.
Even Ubuntu warns about adding other repositories.
Nobody cares about your safety. It’s a fucking jungle out there and it’s your job to stay alert.
Uhm…the Store is a failure and it’s pretty well known to every Windows user by now. Just use trusted Win32 apps. That YOU can fully control.
Trusted like these fake Java / Adobe Reader updates with malware? No, thanks. Repository is the way to go.
None of these stores are. You see stories in the news about users being exposed to malicious/compromised apps every month or two…
They’re about locking things down, extracting money from third party developers and nothing else.
Martin, one minor nit-pick in your last paragraph: “I recommended that users verify app developers before they install apps in 2013.” It is 2019.
I meant that I recommended that in 2013 already.
That line refers to an article that was written back in 2013, so how is it wrong?
I’m in my 70s, and for decades I’ve used computers of all kinds since I typed input on a teletype and got output on punched paper tape. I used and enjoyed the Pet, TRS-80, Commodore, Spectrum, etc. Dabbled in all sorts of programming languages (though never claimed proficiency.)
Later I employed early IBM PCs to access the internet via bulletin boards and pre-DNS typed addresses.
Later still I enjoyed the early days of social media and internet business.
But now – today – with the internet offering dangers we could hardly predict 2 or 3 decades ago, I’m wondering what my attitude might be if I’m spared into my 80s. Will it perhaps be – “Hey – can you remember when we used to trust that crap we called an internet?”
Am I alone in wondering if
I never bothered with the Microsoft store, never really saw much sense to it after the mobile stuff failed. Yet Microsoft still tries to develop Windows versions that rely on it, even though it appears the rest of Microsoft AKA Office, Skype etc has abandon it.
I like using Windows as a OS, but nothing more, the other stuff is just noise and annoyances I try to avoid at all cost. Give me a reliable OS and I’ll decide what to install and where to install it from.
Nothing is perfectly secure including the Apple Store.
The CCleaner install was hacked, a long trusted product not found in the Windows Store. An ideal target.
Vulnerabilities caused by the installation of antivirus software products have created back doors to malware. I don’t see a rating or any mention of that at AV Comparatives. They do care deeply about false positives.
Looking at the 8 products mentioned in this article I would not have installed any of them. So what, they will get harder to spot.
Hopefully Microsoft will be able to leverage their enterprise security products to further buttress the Windows store.
Wait, there are people who think that the Microsoft (or any) Store is a safe haven? My mind boggles.
Is Ninite still trustworthy..?
Last time I used windows thats where I got my free un-contaminated software..
That was,I would guess, patterned after Linux’s “Software Centers” which arent stores
as everything is free.
Yes there was some malware found on a Linux curated DL thing-y…..
It was considered a scandal.
Not business as usual.
While nothing is perfect…pretty much linux is free of this…malfeasance.
If the Microsoft Store is so horrible, Martin, why do you publish a list of the “best apps from the Microsoft Store” every week on Betanews?
Store is lame. I use a desktop computer. I don’t need these crummy mobile apps that break every update and then someday be discontinued. Groove, Story Remix, Sway, etc..I use programs that are offline at all times with no dumb down mobile interface.
The Microsoft Store doesn’t house “mobile” apps any more, since Windows Phone 10 is dead. The Store houses (mostly) UWP (Universal Windows Platform) apps, which are supposed to work on x86 as well as ARM. Microsoft started adding “Centennial” apps (desktop x86 apps packaged for the Windows Store that *don’t* work on ARM) afterwards, to try to “court” Windows Store developers. It didn’t (quite) work out that way; hardly anybody uses the Store. Even the Windows Store version of Skype was derided as incomplete and horrible.
For any one interested, Sergey Tkachenko of Winaero Tweaker fame, has some decent instructions on using the Registry and Group Policy Editor to disable the MS Store and Apps. Informative article at: https://winaero.com/blog/disable-microsoft-store-apps-windows-10/ I use the Firefox extension / Add-on Print Friendly & PDF, and it shows a date of 19 Feb 2019 for the article. I tried asking Winaero if they would add the date to their articles so it is easy to see, but I don’t see that yet. Thanks Martin for adding the date to articles and the url address, very helpful.