Google Play installer for Windows 11 Subsystem for Android secretly installed malware

Ddos April 16, 2022 2 minutes read

After the launch of the Windows 11 Subsystem for Android, many users hope to install the Google Play Store, so that it is more convenient to download and install applications directly from the Play Store. But after all, the Google Play Store is a proprietary application, so it is impossible for Microsoft to pre-install it directly. On the contrary, Microsoft and Amazon reached an agreement to pre-install Amazon’s application store. In fact, it is only slightly troublesome to deploy the Google Play Store in the Windows 11 Subsystem for Android, so some hackers use this theme to spread the malware.

Windows Toolbox is hosted on Github and looks like open source software, and its developers claim that it only needs to be prompted to execute PowerShell commands to install Google Play in Windows Subsystem for Android. Features offered include uninstalling Microsoft’s pre-installed apps, improving Android subsystem performance, turning security updates on or off, and installing the Google Play Store. The tool even has a built-in activation module to provide system activation functions, apparently, so many functions are designed to lure users to execute malicious command lines.

When the user executes the command line according to the prompt, the tool will download a large number of files, copy the browser configuration file, and install malicious extensions on the browser. These malicious extensions are mainly used to hijack users’ access. For example, when users visit whatsapp.com, the script will redirect them to one of the following random URLs, which contain “make money” scams, browser notifications scams, and promotions of unwanted software.

After being found to be abnormal, some users submitted complaints to Github. At present, the hosting homepage of the software has been deleted, but some codes can still be seen. There is currently no security software that can solve it, and the user needs to check the system scheduled tasks, startup tasks, and system folders by themselves. If there is a C:\systemfile folder on the user’s system disk, it is very likely to be attacked. You can consider deleting this folder completely in safe mode, also delete the following folders: C:\Windows\security\pywinvera, C:\Windows\security\pywinveraa, and C:\Windows\security\winver.png and restart.

Via: bleepingcomputer