Why This Cryptocurrency Mining Calendar App Wasn't Such a Great Idea

What if you could set your computer to mine for cryptocurrency, in exchange for access to premium features from your productivity apps? That was the thinking that spurred Qbix, developer of Calendar 2, to add a Monero mining system into its app. However, following a large backlash from the Mac community due to the idea not working so well in practice, the feature has been quickly removed.

“Even if it’s user opt-in, but done poorly or not transparently - it’s still cryptojacking,” Troy Mursch, a Las Vegas-based security expert that publicized a Google Chrome attack last year, tells Inverse. Cryptojacking is the act of using a computer user’s resources to mine cryptocurrency for the app developer, instead of the computer owner itself like with most mining setups. It can slow down computers, or in severe cases even cause smartphone batteries to fail due to overheating.

On Monday, Ars Technica reported that Calendar 2 introduced a new tier of upgrade as part of its model. The company previously offered a basic free tier with no extra features, a $0.99 per month subscription for access to all new and future premium features, or a $17.99 one-off payment for the same benefits. A fourth option unlocked all features for free, using the xmr-stack-miner to use the Mac’s processing power to generate cryptocurrency that’s sent to the developer. The fact that app was available through Apple’s pre-approved App Store suggested the Mac maker also approved of the practice.

Soon after the story went live, Qbix founder Gregory Magarshak revealed that the company decided to remove the mining feature for three key reasons:

• It didn’t work as expected. One bug caused the miner to run all the time, while another caused the miner to use far higher percentages than the 10 to 20 percent of power mandated by Qbix. The miner’s developer did not reveal the underlying source code to Qbix, and it would take too long to rectify.
• The fact it didn’t work gave people the wrong impression. Magarshak said that the bugs left people with the idea that Qbix didn’t really want to get people’s permission, which was not the case at all.
• Proof-of-work is wasteful, and the idea could encourage more waste. Monero, like Bitcoin and many others, uses an algorithm to create new tokens that rewards miners that ask their computers to solve complicated math problems. It’s a way of incentivizing the computers that power the cryptocurrency’s network, but it’s been criticized as a waste of electricity. Analysis by Alex de Vries showed Bitcoin uses about 32.36 terawatt-hours per year, equivalent to the energy consumption of Serbia. Alternatives like proof-of-stake, which rewards people for their stake in the network and is under consideration for Ethereum, use far less electricity as they don’t incentivize computer resource harvesting.

Note that this was not exactly the same as other cryptojacking incidents, where legitimate websites are attacked by hackers to harvest visitors’ resources. Tesla was one recent victim, as was a Google Chrome extension. While Qbix tried to ask for permission before using its customers’ resources, the issues around bugs taking more than expected and a proof-of-work system that provides bad incentives shows why it may not be good enough to simply ask first.

However, Mursch argues that the Qbix incident does count as cryptojacking because users didn’t really understand what they were agreeing to.

“Users may opt-in similar to agreeing to a terms of use/whatever policy without fully understanding the implications,” Mursch says. “Once they’re hooked the developer or website can take as much CPU as they want to mine cryptocurrency.”