This fake Google Play Store script could spell havoc for Windows 11 users

(Image credit: Iaremenko Sergii / Shutterstock)

A popular method of adding Google’s Play Store to the Windows 11 Android subsystem was actually an elaborate ruse to have people download a low-quality, almost amateurish, malware.

When Microsoft first released Windows 11, it promised the OS would allow users to run Android apps, natively. However, users couldn’t do it directly from the Play Store and were rather pointed toward the Amazon App Store.

Soon enough, someone published a new tool to GitHub called Windows Toolbox. It provided many benefits, from debloating the operating system to activating both the OS and Office, to - installing the Play Store for the Android subsystem.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

An elaborate trojan 

The tool worked so well that it quickly blew up within the community, raking in downloads. 

However, it seems that the tool worked a little too well.

As reported by Bleeping Computer, Windows Toolbox is actually a trojan that executes a “series of obfuscated, malicious PowerShell scripts” that install trojan clickers and maybe even other malware.

The script uploads information regarding the victim endpoint's geographic location to the developer, but other than that, its malicious behavior is relatively underwhelming, the publication claims.

All it does is generate revenue, by redirecting users to affiliate and referral URLs. 

As if the developer never expected the tool to become so popular and didn’t bother building a more elaborate money-making scheme. 

When users visit, for example, the script will redirect them to a random URL that promotes different scams, such as,, or

“The impact of the payload delivered by hits convoluted mess of scripts is so minor that it almost feels like something is missing,” the publication concludes.

Apart from the scripts, the tool indeed works as intended. It appears that it only targets victims living in the United States.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.