Calendar 2 app pulled from Mac App Store after cryptomining controversy  - calendar 600 - Calendar 2 app pulled from Mac App Store after cryptomining controversy

How do you feel about paying a subscription for software?

Are you happy to pay a monthly fee to get new features as soon as they are developed, helping to support software houses, or do you think you should only have to pay once – or, perhaps, not at all.

It’s definitely the case that many people dislike paying software subscriptions, and resent that more and more products are moving in that direction. And perhaps that’s why Qbix, the developers of a Mac scheduling called “ 2”, recently shipped a version of their software with an alternative revenue-generating feature.

Rather than paying a flat fee of $17.99 or a 99 cents per month subscription to gain access to all of Calendar 2’s features, the app now offered “All features for free” if you allowed it to “unobtrusively” generate the Monero cryptocurrency in the background.

Now, I don’t necessarily have a problem with *if* it is done with the full, conscious permission of the computer’s user, who is aware of the possible downsides.

Unfortunately, users complained that the app was cryptomining *without* their explicit permission.

researcher Patrick Wardle analysed the app, and also managed to grab a screenshot of some of the poor reviews it was receiving on the Mac App store.

Bad reviews  - bad reviews - Calendar 2 app pulled from Mac App Store after cryptomining controversy

This shady practice is not acceptable, and I don’t know how this app passed Apple’s quality inspection.”

An app should not be able to all of a sudden change your settings and turn it into a cryptomining machine. It uses up so much memory, power and it slows the computer down. I immediately removed it and came to write a review, and i never write reviews.”

Okay, so this would be bad enough. But what’s worse is that the buggy cryptomining version of Calendar 2 was distributed via Apple’s Mac App Store, a marketplace that you expect to be safer than third-party sites because developers have to jump through some many hoops to have their apps approved.

The appearance of a cryptomining app in the official Mac App Store either suggests that Apple is allowing in apps that are open about cryptomining, or that Apple missed it.

And if Apple missed it, what other apps might be secretly harbouring malicious code in the Mac App Store?

If the complaining users are to be believed, the app may have been opening about its cryptomining but a bug meant that the cryptomining occurred even when users declined to participate.

Calendar 2 icon  - cal2 170 - Calendar 2 app pulled from Mac App Store after cryptomining controversyThe app has now been pulled from the Mac App Store, and developer Qbix has blamed the problem on a “perfect storm” of bugs that meant it didn’t work as intended.

As Ars Technica reports, Qbix thought their app would “only” use 10-20% of a Mac’s computer power, depending on whether it was plugged in or not… but actually used much more.

Qbix has decided that it will submit a new version of its app to the Mac App Store, which doesn’t include the third-party cryptomining code, and has said it had decided to “get out of the mining business.”

A good decision by them, I think. But meanwhile Apple probably needs to wake itself up to the growing interest in cryptomining within apps, and decide what it wants to do about it. At the time of writing Apple has declined to comment on whether Qbix broke any rules.

- aa9ea0686c5d1aa9086d4b12c3aa05f2 s 80 d mm r g - Calendar 2 app pulled from Mac App Store after cryptomining controversy

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and gives presentations on the topic of computer security and online privacy.

Follow him on Twitter at @gcluley, Google Plus, Facebook, or drop him an email.

Follow @gcluley

Source link


Please enter your comment!
Please enter your name here