Calendar 2 mining Monero by default removed from Mac App Store

by Gabriel E. Hall - - 2018-03-13

Calendar 2 app infected with Monero miner found spreading on Mac App Store

Monero miner detected on Mac App Store as a component of Calendar 2 app

Apple allows distribution of Calendar 2 app injected with Monero XMR-Stak miner, ArsTechnica reported yesterday.^[1] The interest in cryptocurrencies and mining has been increasingly growing since 2009 and eventually reached the so-called “Crypto Crazy.”^[2] Apple seems to be keeping the pace with all the cryptocurrency mining issue and approving apps offered on the Mac App Store injecting Monero XMR-Stak miner as legit and safe to use.

Mac App Store users from all around the world could dip their toes into cryptocurrency mining by downloading the Calendar 2 app developed and maintained by Qbix Ltd. The latter contains XMR-Stak miner^[3] as one of the default components. Although XMR-Stak is a highly optimized, open source, stratum based pool miner used to mine Monero cryptocurrency, the permission to allow injecting it as one of the default app components on Apple App Store is highly questionable.

Apple does not seem to be worried about cryptocurrency miner infected apps

Calendar 2 is a legitimate application that developed by Qbix. Voth the program and the company are legal and have a considerable number of users. However, the installation of the XMR-Stak miner by default when the user agrees to the default terms raises suspicions.

However, Thomas Reed,^[4] a director of Mac offerings at antimalware provider Malwarebytes, claim that this unitary case of App Mac Store spreading crypto-miners can turn into regular practice. He says:

The fact that this is the default is something I don't like. I would want to see a legit app informing the user in advance or making it an option that can be turned on but is off by default. On the other hand, they [Qbix] do disclose that they are doing it and give other options for people who don't like it. My personal feeling on this is that, given the disclosure, I think the user should be allowed to make their own choice. Some people might be perfectly willing to let an app like this mine cryptocurrency so that they can use it for free.

Cryptocurrency mining malware does not ask for permission to be installed. They are disguised under legitimate system files and misuse CPU and GPU resources, so it's sometimes difficult to use the infected device. In the meantime, the Calendar 2 app does disclose the installation of the xmr-stack miner. The setup of the app says:

Enable All Calendar Features!

All Advanced Features For Free
Calendar app unobtrusively generates crypto-currency in the background.

All Advanced Features Permanently
$17 Pay once to unlock all new future Calendar features

All Advanced Features
$0.99/month Monthly subscription to unlock all new future Calendar features

Disable All Advanced Features
You just get the basic calendar that hangs off your menubar, with none of the extras.

Calendar 2 users are free to choose what kind of service and payment method they prefer. The approval is explicitly required, so experts doubt about considering this app illegal.

Crypto-miner runs even though the user disapproves of using it

Many Calendar 2 users reported that the app runs the XMR-Stak miner in the background even if they choose to pay for the advanced features in USD. According to them, the CPU usage increases from 10 to 50 percent thus causing severe slowdowns.

ArsTechnica asked Apple to comment on this to approve or disapprove the new trend of cryptocurrency mining apps being distributed on the Mac App Store. However, the company hasn't yet responded. The app is still available on the App Store shelves.

Nevertheless, Gregory Magarshak, the founder of Qbix, surpassed Apple and explained that the app was not supposed to run the miner by default. According to him, due to many complaints regarding CPU usage and unusual behavior of the system triggered by the installation of the Calendar 2 app, the company suspended the distribution of the XMR-Stak. According to Magarshak, such decision has been made on the following grounds:

The company which provided us the miner library did not disclose its source code, and it would take too long for them to fix the root cause of the CPU issue.
The rollout had a perfect storm of bugs which made it seem like our company *wanted* to mine crypto-currency without people’s permission, and that goes against our whole ethos and vision for Qbix.
My own personal feeling that Proof of Work has a dangerous set of incentives which can lead to electricity waste on a global scale we’ve never seen before. We don’t want to get sucked into this set of incentives, and hopefully, our decision to ultimately remove the miner will set some sort of precedent for other apps as well.

It's not yet clear what is Apple's position in this whole story. Whether it's going to dive into crypto-currency craze by dropping the Apple gatekeeper down to miners or it's an accident. Although Apple keeps its lips tight about this incident, the Calendar 2 app has already been take from the Mac App Store.^[5]

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Dan Goodin. There’s a currency miner in the Mac App Store, and Apple seems OK with it. ArsTechnica. Publication devoted to technology.
^ Maria Terekhova. More companies are trying to cash in on the crypto craze. Business Insider. News related to tech, politics, finances, etc..
^ Selecting a pool. Monero. Official domain of the cryptocurrency.
^ Thomas Reed. Calendar spam on Apple systems. Malwarebytes LAB.
^ Darren Allan. Calendar 2 pulled from App Store after cryptocurrency mining feature goes rogue. TechRadar. The source for tech buying advice.