Calendar Application in MacOS App Store is Mining Monero

The Mac App Store has been hosting applications that contain Cryptocurrency miners which run in the background in exchange for giving users additional features despite no option to opt out of the mining. Apple still hasn’t taken down the application from the App Store even when Ars Technica reported the problem.

The Application provides more features than the stock calendar application provided by Apple. On one of the application’s latest updates its developer, Qbix, added extra code to mine Monero, a digital coin launched in April 2014 and meant to be a more anonymous version of bitcoin, as you can’t view transactions on a public ledger.

The users of the application will receive additional features in the application in exchange for permitting the application to mine cryptocurrency. Magarshak Said :

In short, as you can imagine, these two bugs caused issues for many of our users. We got a lot of messages saying “I love your app and used it for many years, but this version is kicking my computer into overdrive! Please fix it ASAP.” (Paraphrased.) And so forth. What started out as a well-meaning option to just let people try out a new way to get all features unlocked became an option that made many people associate “mining” with huge CPU consumption.

One of the users named Fred Laxton on Twitter said:

Calendar 2 for Mac (from the App Store) launched a cryptocurrency miner without my permission. Then it ate 100% CPU until I found it and killed it. I didn’t expect a miner infection from an App Store vendor. Wow. It runs the xmr-stak Monero miner.

The company that develops the application said that it’s in the process of publishing an update which is going to fix the CPU issue. The company has released a statement to the users explaining the events.

  1.  The company which provided us with the miner library did not disclose its source code, and it would take a long time for them to fix the root cause of the CPU issue.
  2.  The rollout had a perfect storm of bugs which made it seem like our company *wanted* to mine crypto-currency without people’s permission, and that goes against our whole ethos and vision for Qbix.
  3.  My own personal feeling that Proof of Work has a dangerous set of incentives which can lead to electricity waste on a global scale we’ve never seen before. We don’t want to get sucked into this set of incentives, and hopefully, our decision to ultimately remove the miner will set some sort of precedent for other apps as well.

Ultimately, even though we technically could have remedied the situation and continued on benefiting from the pretty large income such a miner generates, we took the above as a sign that we should get out of the “mining business” before we get sucked into the Proof of Work morass of incentives.

Take your time to comment on this article.

Source: Ars Technica, The Verge

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil