Legitimate apps bundled up with secret Bitcoin miner
As the value of Bitcoin continues to rise, a lot of people are trying to cash in on the craze. Some do it legally, by getting their own machines to perform the calculations required, and others try to make other users’ machines do it for them.
This latter option is usually performed illegally, by installing malware on the victims’ machines without their approval and knowledge, but there are instances when these greedy scammers try to get users to agree to the practice by fooling them with sneaky end-user license agreements (EULAs).
Malwarebytes researchers have recently discovered a similar scheme they traced back to a legitimate company by the name of Mutual Public (aka We Build Toolbars, LLC).
The company in question has created YourFreeProxy, a piece of software that creates a virtual private network between a device and the Internet, and has offered it for free to those that don’t mind ads, and for sale for those who do.
But, they have also put in the EULA the following statement:
COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.”
“Mutual Public” is the Mutual Public Installer, which the user agrees to install on the computer when choosing to use YourFreeProxy, and it also “may include features, links to, or RSS (or other) feeds from third party partners” – features or content that WBT is not responsible for.
Among other things, the process (monitor.exe) started by the installer “beacons out constantly, waiting for commands from a remote server, eventually downloading the miner and installing it on the system,” as explained by Malwarebytes’ Adam Kujawa.
“In my opinion, Potentially Unwanted Programs have gone to a new low with the inclusion of this type of scheme, they already collected information on your browsing and purchasing habits with search toolbars and redirectors,” he notes. “They assault users with pop-up ads and unnecessary software to make a buck from their affiliates. Now they are just putting the nails in the coffin by stealing resources and driving user systems to the grave.”
The company has likely covered itself legally by including the statement in the EULA (Or has it? Were those calculations really necessary for increasing security? Or was that just a clever way to pacify those few users who read the agreement, and an outright lie?)
Whatever the reality turns out to be, you can be sure that users were probably not satisfied with the speed of their machine after they downloaded and installed YourFreeProxy. According to the researchers and the user who flagged the suspicious file in the first place, the sneaky Bitcoin miner has been using up 50 percent of the system resources.
“So take note if your system is running especially slow or if a process is taking up massive amounts of your processing power; it might be malware or even a PUP running a miner on your system,” warns Kujawa.