That battery-saving app may have used your device to mine Monero, Symantec says

Microsoft has removed the apps from its store.

Eight applications designed to hijack users’ computing power to generate cryptocurrency slipped past security guards and into the Microsoft store, security giant Symantec announced Friday, in what was only the latest example of hackers using online markets to spread illicit wares.

The apps masqueraded as Windows 10 tools to help users optimize their batteries, aid their internet searches and help stream or download video. In fact, each app was used to generate the cryptocurrency Monero. They were distributed by the developers DigiDream, 1clean and Findoo, though Symantec determined each app likely was developed by the same person or group.

The apps were called Fast-search Lite, Battey Optimizer (Tutorials), VPN Browser+, Downloader for YouTube Videos, Clean Master + (Tutorials), FastTube, Findoo Browser 2019 and Findoo Mobile and Desktop Search.

“Although we can’t get exact download or installation counts, we can see that there were almost 1,900 ratings posted for these apps,” Symantec said in a blog post. “However, app ratings can be fraudulently inflated, so it is difficult to know how many users really downloaded these apps.”


While Microsoft has removed the apps from its store, the research published Friday by Symantec only is the latest evidence scammers are using popular app stores to distribute programs that co-opt users’ devices for nefarious purposes.

Google this month removed from its Play Store an app that impersonated MetaMask, a legitimate Ethereum service. Instead of fulfilling its promise, though, the fake MetaMask aimed to steal a user’s credentials to access their cryptocurrency. Researchers first spotted this malware circulating on Microsoft tools in 2017, on Android devices in 2018 and then in the Play Store on Feb. 1 of this year, according to the security vendor ESET.

Another 17,000 Android applications are creating a permanent record of smartphone users’ web browsing activity for marketing purposes, according to findings from the International Computer Science Institute first shared with CNET. Many of those programs track users via their device’s MAC address, IMEI number and Android ID, according to CNET. Google said it will take action against apps found to be violating its terms of service.

A similar issue also has haunted WordPress website owners in recent months. A security developer at WebARX revealed on Monday a vulnerability that could have allowed attackers to change the settings on some 40,000 websites by exploiting the widely used Simple Social Buttons plugin.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts