Calendar 2 app pulled from Mac App Store after cryptomining controversy

Apple approved misbehaving cryptomining feature.

Calendar 2 app pulled from Mac App Store after cryptomining controversy

How do you feel about paying a subscription for software?

Are you happy to pay a monthly fee to get new features as soon as they are developed, helping to support software houses, or do you think you should only have to pay once – or, perhaps, not at all.

It’s definitely the case that many people dislike paying software subscriptions, and resent that more and more products are moving in that direction. And perhaps that’s why Qbix, the developers of a popular Mac scheduling app called “Calendar 2”, recently shipped a version of their software with an alternative revenue-generating feature.

Sign up to our free newsletter.
Security news, advice, and tips.

Rather than paying a flat fee of $17.99 or a 99 cents per month subscription to gain access to all of Calendar 2’s advanced features, the app now offered “All advanced features for free” if you allowed it to “unobtrusively” generate the Monero cryptocurrency in the background.

Now, I don’t necessarily have a problem with cryptomining *if* it is done with the full, conscious permission of the computer’s user, who is aware of the possible downsides.

Unfortunately, users complained that the app was cryptomining *without* their explicit permission.

Security researcher Patrick Wardle analysed the app, and also managed to grab a screenshot of some of the poor reviews it was receiving on the Mac App store.

Bad reviews

“This shady practice is not acceptable, and I don’t know how this app passed Apple’s quality inspection.”

“An app should not be able to all of a sudden change your settings and turn it into a cryptomining machine. It uses up so much memory, power and it slows the computer down. I immediately removed it and came to write a review, and i never write reviews.”

Okay, so this would be bad enough. But what’s worse is that the buggy cryptomining version of Calendar 2 was distributed via Apple’s Mac App Store, a marketplace that you expect to be safer than third-party sites because developers have to jump through some many hoops to have their apps approved.

The appearance of a cryptomining app in the official Mac App Store either suggests that Apple is allowing in apps that are open about cryptomining, or that Apple missed it.

And if Apple missed it, what other apps might be secretly harbouring malicious code in the Mac App Store?

If the complaining users are to be believed, the app may have been opening about its cryptomining but a bug meant that the cryptomining occurred even when users declined to participate.

Calendar 2 iconThe app has now been pulled from the Mac App Store, and developer Qbix has blamed the problem on a “perfect storm” of bugs that meant it didn’t work as intended.

As Ars Technica reports, Qbix thought their app would “only” use 10-20% of a Mac’s computer power, depending on whether it was plugged in or not… but actually used much more.

Qbix has decided that it will submit a new version of its app to the Mac App Store, which doesn’t include the third-party cryptomining code, and has said it had decided to “get out of the mining business.”

A good decision by them, I think. But meanwhile Apple probably needs to wake itself up to the growing interest in cryptomining within apps, and decide what it wants to do about it. At the time of writing Apple has declined to comment on whether Qbix broke any rules.

You can hear more about this incident on an edition of the “Smashing Security” podcast:

Smashing Security #069: 'Cryptomining, China, and Bob Ross'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.