Mac developer slides in crypto-miner in exchange for premium features, Apple doesn’t mind

Calendar apps aren’t exactly the rage, but one developer has managed to squeeze in just enough functionality to get people to pay for it, and even to mine cryptocurrency for the seller in exchange for premium features.

It’s the story of Calendar 2, a popular calendar utility created by Qbix, Inc. and distributed through Apple’s walled garden known as the App Store – specifically, the Mac version.

In addition to serving as a regular calendar, the software has an array of neat tricks up its sleeve, such as a built-in weather forecast, Facebook integration, Flickr-powered backgrounds and more.

With the latest update, issued to users worldwide, the developer decided to add yet another feature– this time to diversify its monetization scheme – a crypto miner.

Crypto miners are tools designed to harness the processing power of users’ computers, typically unbeknownst to them. The practice is called cryptojacking, marrying the terms. cryptography and hijacking.

But in the case of Calendar 2 and its crypto-mining feature, the developer has been more than straightforward, stating loud and clear that if users want all the advanced features without paying the $0.99 a month, they can allow the app to “unobtrusively generate crypto-currency in the background.”

Although the developer was straightforward about his intentions, however, the miner didn’t work as planned. Because of several bugs in its code, the miner kept running even when users opted out, and in some cases inflicting 200% CPU loads.

One unhappy user wrote:

“I was pleased with this app till it started doing weird things. From one day to the next I kept getting pop up alerts from the computer saying “xmd-stak unexpectedly quit” over and over and OVER again. No matter if I hit ingore or Report it would keep popping up. I bought a malware and virus removal for my mac, it could not find anything. Finally it hit me that it could possibly be the new update from this calendar app. IT WAS! An app should not be able to all of a sudden change your settings and turn it into a crypto mining machine. It uses up so much memory, power, and it slows the computer down. I immediately removed it and came to write a review, and I never write reviews.”

Others quickly followed, leading news outlets to take notice. Ars Technica even went and reported it to Apple. The iPhone maker, strangely, didn’t yank the app from the store, leading some to believe Apple might be okay with developers including crypto-miners in their apps as alternative revenue streams.

Soon after the news broke, Qbix founder Gregory Magarshak released a statement apologizing for causing users distress with the new version of his calendar app.

“Ultimately, even though we technically could have remedied the situation and continued on benefiting from the pretty large income such a miner generates, we took the above as a sign that we should get out of the ‘mining business’ before we get sucked into the Proof of Work morass of incentives,” Magarshak wrote in an email.

Calendar 2 has since been updated to a new version that doesn’t include the miner.

The cryptocurrency gold rush has prompted legions of developers, hackers and legitimate businesses alike to embed crypto-mining tools in their software offerings or websites in hopes of fast profits overnight, or to generate additional sources of income.

While not malicious in nature, mining tools are often used by webmasters or developers to essentially hijack end-users’ CPUs without their consent. These practices have become so common that AV vendors, including Bitdefender, now detect and classify browser-based crypto-miners as malware.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Filip Truta. Read the original post at: