How do you feel about paying a subscription for software?
Are you happy to pay a monthly fee to get new features as soon as they are developed, helping to support software houses, or do you think you should only have to pay once – or, perhaps, not at all.
It’s definitely the case that many people dislike paying software subscriptions, and resent that more and more products are moving in that direction. And perhaps that’s why Qbix, the developers of a popular Mac scheduling app called “Calendar 2”, recently shipped a version of their software with an alternative revenue-generating feature.
Rather than paying a flat fee of $17.99 or a 99 cents per month subscription to gain access to all of Calendar 2’s advanced features, the app now offered “All advanced features for free” if you allowed it to “unobtrusively” generate the Monero cryptocurrency in the background.
Now, I don’t necessarily have a problem with cryptomining *if* it is done with the full, conscious permission of the computer’s user, who is aware of the possible downsides.
Unfortunately, users complained that the app was cryptomining *without* their explicit permission.
@SGgrc @QbixApps Calendar 2 for Mac (from the App Store) launched a cryptocurrency miner without my permission. Then it ate 200% CPU until I found it and killed it. I didn't expect a miner infection from an App Store vendor. Wow. It runs the xmr-stak Monero miner.
— Fred Laxton (@fredonline) March 12, 2018
Security researcher Patrick Wardle analysed the app, and also managed to grab a screenshot of some of the poor reviews it was receiving on the Mac App store.
“This shady practice is not acceptable, and I don’t know how this app passed Apple’s quality inspection.”
“An app should not be able to all of a sudden change your settings and turn it into a cryptomining machine. It uses up so much memory, power and it slows the computer down. I immediately removed it and came to write a review, and i never write reviews.”
Okay, so this would be bad enough. But what’s worse is that the buggy cryptomining version of Calendar 2 was distributed via Apple’s Mac App Store, a marketplace that you expect to be safer than third-party sites because developers have to jump through some many hoops to have their apps approved.
The appearance of a cryptomining app in the official Mac App Store either suggests that Apple is allowing in apps that are open about cryptomining, or that Apple missed it.
And if Apple missed it, what other apps might be secretly harbouring malicious code in the Mac App Store?
If the complaining users are to be believed, the app may have been opening about its cryptomining but a bug meant that the cryptomining occurred even when users declined to participate.
The app has now been pulled from the Mac App Store, and developer Qbix has blamed the problem on a “perfect storm” of bugs that meant it didn’t work as intended.
As Ars Technica reports, Qbix thought their app would “only” use 10-20% of a Mac’s computer power, depending on whether it was plugged in or not… but actually used much more.
Qbix has decided that it will submit a new version of its app to the Mac App Store, which doesn’t include the third-party cryptomining code, and has said it had decided to “get out of the mining business.”
A good decision by them, I think. But meanwhile Apple probably needs to wake itself up to the growing interest in cryptomining within apps, and decide what it wants to do about it. At the time of writing Apple has declined to comment on whether Qbix broke any rules.
You can hear more about this incident on an edition of the “Smashing Security” podcast: