There’s a currency miner in the Mac App Store, and Apple seems OK with it


Tech Blog / Blog 41 Views 0

Enlarge / A version of Calendar 2 downloaded on Sunday from the Mac App Store.

apps that covertly harness millions of devices, in some cases with malware so aggressive it can physically damage phones. A popular title in the Mac App Store recently embraced coin mining openly, and so far Apple gatekeepers haven't blocked it.

The app is Calendar 2, a scheduling app that aims to include more features than the Calendar app that Apple bundles with macOS. In recent days, Calendar 2 developer Qbix endowed it with code that mines the digital coin known as Monero. The xmr-stack miner isn't supposed to run unless users specifically approve it in a dialog that says the mining will be in exchange for turning on a set of premium features. If users approve the arrangement, the miner will then run. Users can bypass this default action by selecting an option to keep the premium features turned off or to pay a fee to turn on the premium features.

Feels like the first time

If Calendar 2 isn't the first known app offered in Apple's official and highly exclusive App Store to do currency mining, it's one of the very few. The discovery comes as sky-high valuations have pushed the limits of currency mining and led to a surge of websites and malware that surreptitiously mine digital coins on mobile devices, personal computers, and business servers. Calendar 2 is slightly different in the sense that it clearly discloses the miner it runs by default. That puts it in a grayer zone than most of the miners seen to date.

"On the one hand, using the user's CPU for cryptomining has become extremely unpopular," Thomas Reed, director of Mac offerings at antimalware provider Malwarebytes, told Ars. "The fact that this is the default is something I don't like. I would want to see a legit app informing the user in advance or making it an option that can be turned on but is off by default. On the other hand, they [the developers] do disclose that they are doing it and give other options for people who don't like it. My personal feeling on this is that, given the disclosure, I think the user should be allowed to make their own choice. Some people might be perfectly willing to let an app like this mine cryptocurrency so that they can use it for free."

Apple representatives didn't respond to emails asking if the recently updated Calendar 2 violated App Store terms and services. Almost 24 hours after Ars alerted them to app, it remained available for download. Patrick Wardle, a researcher specializing in macOS security, has a detailed analysis of the miner here.

In an email, Qbix founder Gregory Magarshak said the rollout of the currency miner has been complicated by two bugs that prevented it from working as intended. The first flaw caused the miner to run indefinitely, even when users changed the default setting. The second bug caused the miner to consume more resources than planned. Developers programmed the miner to use 10 percent to 20 percent of a Mac's computing power, depending on whether the machine was plugged in. The new miner has been using much higher percentages.

Magarshak wrote:

In short, as you can imagine, these two bugs caused issues for many of our users. We got a lot of messages saying "I love your app and used it for many years, but this version is kicking my computer into overdrive! Please fix it ASAP." (Paraphrased.) And so forth. What started out as a well-meaning option to just let people try out a new way to get all features unlocked became an option that made many people associate "mining" with huge CPU consumption.

The miner—or at least the bugs found in the one released—has generated plenty of criticism on social media.

Qbix is in the process of publishing an update to fix the bugs. Magarshak went on to note that he has long criticized what he says is an "arms race to waste electricity to solve hashes." Such arms races are created by currency mining based on what's known as "proof of work" computing. He said he's considering removing the miner altogether from Calendar 2. For now, it's still there, and there's no indication Apple has any plans to change that.

Update: In an e-mail sent about 90 minutes after this post went live, Magarshak said he has decided to remove the miner from future versions of Calandar 2. He explained:

We have decided to REMOVE the miner in the app. The next version will remove the option to get free features via mining. This is for three reasons:

1) The company which provided us the miner library did not disclose its source code, and it would take too long for them to fix the root cause of the CPU issue.

2) The rollout had a perfect storm of bugs which made it seem like our company *wanted* to mine crypto-currency without people's permission, and that goes against our whole ethos and vision for Qbix.

3) My own personal feeling that Proof of Work has a dangerous set of incentives which can lead to electricity waste on a global scale we've never seen before. We don't want to get sucked into this set of incentives, and hopefully our decision to ultimately remove the miner will set some sort of precedent for other apps as well.

Ultimately, even though we technically could have remedied the situation and continued on benefiting from the pretty large income such a miner generates, we took the above as a sign that we should get out of the "mining business" before we get sucked into the Proof of Work morass of incentives.

Apple representatives have yet to return requests for comment.