Calendar 2 Cryptocurrency Mining App Discovered In Curated Mac App Store

Macbook

Everyone is looking to make a buck with cryptocurrency these days, and unfortunately it has gotten to the point where even unrelated apps and websites are prone to using your device's resources for mining, often without the user's consent. It has been a problem for Google Play, and now also the Mac App Store. It's been discovered that Calendar 2, a popular app for Apple systems, contains a misbehaving cryptocurrency mining feature.

Calendar 2 is a scheduling app that is a bit more robust than the one that Apple includes with macOS. The added features have been popular with users, Within the last few days, however, developer Qbix injected code with instructions to mine Monero. Called xmr-stack miner, the embedded code is only supposed to run when users approve it through a dialog box, in exchange for unlocking premium features.

One issue here is that his might be the first cryptocurrency miner in the Mac App Store. If not, it's at least one of the first. Apple has not said whether the updated Calendar 2 app violates the app store's terms of service, and by extension, it is not clear what Apple's stance is on cryptocurrency mining in general. That is not the only potential issue, though.

A potentially bigger concern is that the Calendar 2 app has been mining Monero by default, rather than being an opt-in feature for users who want to unlock premium bells and whistles without paying for them. Qbix blamed this on a bug in the code. To compound the issue, another flaw in the code was causing the miner to use more resources than intended. As designed, it was supposed to use 10-20 percent of a Mac's computing power, but has been using much more than that.

Qbix admitted to Arstechnica that the pair of bugs "caused issues for many of our users." The developer said it was a well-meaning feature, but that users complained it was kicking their systems into overdrive.

This has not been a good look for Qbix or its Calendar 2 app. In an updated statement, Qbix said it has decided to remove the miner altogether, saying that the company that provided the miner library did not disclose the source code and it would take too long to dig through it and fix the buggy behavior.

"Ultimately, even though we technically could have remedied the situation and continued on benefiting from the pretty large income such a miner generates, we took the above as a sign that we should get out of the 'mining business' before we get sucked into the Proof of Work morass of incentives," Qbix said.

That's probably a solid decision, though without clarification from Apple, we could see more of this in the Mac App Store.

Via:  Arstechnica
Show comments blog comments powered by Disqus