When Microsoft first released Windows 11, it promised the OS would allow users to run Android apps, natively. However, users couldn’t do it directly from the Play Store and were rather pointed toward the Amazon App Store.
Soon enough, someone published a new tool to GitHub called Windows Toolbox. It provided many benefits, from debloating the operating system to activating both the OS and Office, to - installing the Play Store for the Android subsystem.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
An elaborate trojan
The tool worked so well that it quickly blew up within the community, raking in downloads.
However, it seems that the tool worked a little too well.
As reported by Bleeping Computer, Windows Toolbox is actually a trojan that executes a “series of obfuscated, malicious PowerShell scripts” that install trojan clickers and maybe even other malware.
The script uploads information regarding the victim endpoint's geographic location to the developer, but other than that, its malicious behavior is relatively underwhelming, the publication claims.
All it does is generate revenue, by redirecting users to affiliate and referral URLs.
As if the developer never expected the tool to become so popular and didn’t bother building a more elaborate money-making scheme.
When users visit whatsapp.com, for example, the script will redirect them to a random URL that promotes different scams, such as https://tei.ai/hacky-file-explorer, https://tei.ai/pubg-for-low-spec-pc, or https://tei.ai/get-free-buck.
“The impact of the payload delivered by hits convoluted mess of scripts is so minor that it almost feels like something is missing,” the publication concludes.
Apart from the scripts, the tool indeed works as intended. It appears that it only targets victims living in the United States.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.