Free WiFi proxy revealed to be sneakily Bitcoin mining on unsuspecting users’ computers

Graham Cluley
Graham Cluley
@[email protected]

BitcoinSecurity researchers at MalwareBytes have uncovered an interesting example of one of the new ways that third parties can try to make money out of *your* computer.

Adam Kujawa, a malware researcher at the firm, has described how browser toolbars and search add-ons may not only try to earn money and irritate you by displaying adverts, but might also be silently installing a Bitcoin miner onto your PC.

There’s nothing wrong with Bitcoin-mining software, of course. But it should be *your* choice whether you want your computer’s resources tied up with the complex number-crunching necessary to create the digital currency. What’s bad about the software that MalwareBytes has discovered, is that users may not realise that this is the price they are paying for installing what they believed to be a free tool.

In this particular case, researchers have identified a tool called “Your Free Proxy”, from a company called Mutual Public (also known as We Build Toolbars, LLC or WBT).

Sign up to our free newsletter.
Security news, advice, and tips.

The proxy software claims that it will protect your IP address, and keep your internet usage private from whoever might be snopping upon you. It also claims to have been featured in the New York Times, CNN, Fast Company, Wall Street Journal and others, had over 189 million downloads, and to be 100% free.

Free proxy website

Sounds too good to be true, doesn’t it? And perhaps it is.

Because the security researchers discovered that the software uses the Mutual Public Installer (monitor.exe), downloading it from an Amazon cloud server. And that installer can receive remote commands, including instructions to download Bitcoin-mining software.

Coin mining software, available for download by toolbar software

Sneaky. Very sneaky.

Perhaps surprisingly, the software doesn’t entirely hide its intentions.


Buried away in the program’s terms & conditions is a section that says:

COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.

No doubt it’s that small print that the firm is hoping will keep it out of any legal trouble.

After all, it was there for users to see… and it’s hardly the software vendor’s fault that once again users didn’t bother to read the legalese…

Always be wary of software which seems to be too good to be true. It may well be trying to make money at your expense.

Hopefully other anti-virus vendors will follow MalwareBytes’s lead and add detection of this potentially unwanted application, as I cannot imagine many people wanting their computer’s performance to be halved because it is secretly making money for someone else.

Learn more about this Bitcoin-mining software on MalwareBytes’s blog.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Free WiFi proxy revealed to be sneakily Bitcoin mining on unsuspecting users’ computers”

  1. Graham, an important aspect isn't just the breach of trust or slowing down the users' machines, the most legally significant issue is one of theft of electricity – all that number crunching can more than double power consumption, especially if it can use one or more GPUs too.

    The clause in their contract does not explain that it would increase the users electricity bills, so I expect their hoped-for defence would not stand up in court.

  2. Spryte

    Another point is that using Amazon cloud services to store malware is probably a breach of their Terms and Conditions.
    Perhaps a complaint to Amazon is in order.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.