Popular Calendar 2 app mines Monero by default, but at least it discloses it. Resource-draining currency miners are a regular part of the Google Play market, as scammers pump out apps that covertly harness millions of devices, in some cases with malware so aggressive it can physically damage phones. A popular title in the Mac App Store recently embraced coin mining openly, and so far Apple gatekeepers haven't blocked it. The app is Calendar 2, a scheduling app that aims to include more features than the Calendar app that Apple bundles with macOS. In recent days, Calendar 2 developer Qbix endowed it with code that mines the digital coin known as Monero. The xmr-stack miner isn't supposed to run unless users specifically approve it in a dialog that says the mining will be in exchange for turning on a set of premium features. If users approve the arrangement, the miner will then run. Users can bypass this default action by selecting an option to keep the premium features turned off or to pay a fee to turn on the premium features. If Calendar 2 isn't the first known app offered in Apple's official and highly exclusive App Store to do currency mining, it's one of the very few. The discovery comes as sky-high valuations have pushed the limits of currency mining and led to a surge of websites and malware that surreptitiously mine digital coins on mobile devices, personal computers, and business servers. Calendar 2 is slightly different in the sense that it clearly discloses the miner it runs by default. That puts it in a grayer zone than most of the miners seen to date. "On the one hand, using the user's CPU for cryptomining has become extremely unpopular," Thomas Reed, director of Mac offerings at antimalware provider Malwarebytes, told Ars. "The fact that this is the default is something I don't like. I would want to see a legit app informing the user in advance or making it an option that can be turned on but is off by default. On the other hand, they [the developers] do disclose that they are doing it and give other options for people who don't like it. My personal feeling on this is that, given the disclosure, I think the user should be allowed to make their own choice. Some people might be perfectly willing to let an app like this mine cryptocurrency so that they can use it for free." Apple representatives didn't respond to emails asking if the recently updated Calendar 2 violated App Store terms and services. Almost 24 hours after Ars alerted them to app, it remained available for download. Patrick Wardle, a researcher specializing in macOS security, has a detailed analysis of the miner here. In an email, Qbix founder Gregory Magarshak said the rollout of the currency miner has been complicated by two bugs that prevented it from working as intended. The first flaw caused the miner to run indefinitely, even when users changed the default setting. The second bug caused the miner to consume more resources than planned. Developers programmed the miner to use 10 percent to 20 percent of a Mac's computing power, depending on whether the machine was plugged in. The new miner has been using much higher percentages. Magarshak wrote: In short, as you can imagine, these two bugs caused issues for many of our users. We got a lot of messages saying "I love your app and used it for many years, but this version is kicking my computer into overdrive! Please fix it ASAP." (Paraphrased.) And so forth. What started out as a well-meaning option to just let people try out a new way to get all features unlocked became an option that made many people associate "mining" with huge CPU consumption. The miner—or at least the bugs found in the one released—has generated plenty of criticism on social media. @SGgrc @QbixApps Calendar 2 for Mac (from the App Store) launched a cryptocurrency miner without my permission. Then it ate 200% CPU until I found it and killed it. I didn't expect a miner infection from an App Store vendor. Wow. It runs the xmr-stak Monero miner. Qbix is in the process of publishing an update to fix the bugs. Magarshak went on to note that he has long criticized what he says is an "arms race to waste electricity to solve hashes." Such arms races are created by currency mining based on what's known as "proof of work" computing. He said he's considering removing the miner altogether from Calendar 2. For now, it's still there, and there's no indication Apple has any plans to change that. Update: In an e-mail sent about 90 minutes after this post went live, Magarshak said he has decided to remove the miner from future versions of Calandar 2. He explained: We have decided to REMOVE the miner in the app. The next version will remove the option to get free features via mining. This is for three reasons: 1) The company which provided us the miner library did not disclose its source code, and it would take too long for them to fix the root cause of the CPU issue. 2) The rollout had a perfect storm of bugs which made it seem like our company *wanted* to mine crypto-currency without people's permission, and that goes against our whole ethos and vision for Qbix. 3) My own personal feeling that Proof of Work has a dangerous set of incentives which can lead to electricity waste on a global scale we've never seen before. We don't want to get sucked into this set of incentives, and hopefully our decision to ultimately remove the miner will set some sort of precedent for other apps as well. Ultimately, even though we technically could have remedied the situation and continued on benefiting from the pretty large income such a miner generates, we took the above as a sign that we should get out of the "mining business" before we get sucked into the Proof of Work morass of incentives. Apple representatives have yet to return requests for comment.
A calendar app in the Mac App Store has been mining cryptocurrency in the background in exchange for giving users additional features — and an option to opt out of mining has been broken. So far, Apple has not taken the scheduling app Calendar 2 down, even after Ars Technica informed the company that Calendar 2 has been mining virtual currency. The app is supposed to be a buffed-up version of Apples Calendar app in macOS, but recently, its developer, Qbix, added extra code to mine monero, a digital coin launched in April 2014 and meant to be a more anonymous version of bitcoin, as you cant view transactions on a public ledger. That makes Calendar 2 something of a rarity in the App Store — there dont appear to be other mining apps in the store, let alone apps that use mining as a way to get additional value from non-paying users. The miner runs in exchange for letting the users access more premium features. Users can opt out by keeping premium features off or paying for them through the App Store. However, as Ars noted, the app had a bug that kept the miner running, even if users tried to opt out, and a second bug that caused the miner to consume more resources than originally intended. A user noted on Twitter that the app ate 200% CPU until I found it and killed it. I didnt expect a miner infection from an App Store vendor. Wow. The apps current rating is two out of five in the App Store, with many recent reviews docking stars because of the unwanted mining. Qbix stated that it was in the middle of publishing a fix for the bugs. Mining programs tend to favor Monero over Bitcoin or Ethereum, as Monero has a more CPU-friendly hashing algorithm. Salons website asks readers if they would like to let the media outlet mine monero through readers unused computing power, as an alternative to looking at ads. Additionally, Monero has also become an easy target for a spate of malicious mining programs that have emerged in recent months, according to a report from Symantec in December. While Apple doesnt have any rules expressly banning mining apps, it wouldnt be surprising for the company to remove such apps, given this sentence in the guidelines: Apps should not rapidly drain battery, generate excessive heat, or put unnecessary strain on device resources. Weve reached out to Apple for comment.