A popular method of adding Google’s Play Store to the Windows 11 Android subsystem was actually an elaborate ruse to have people download a low-quality, almost amateurish, malware.
When Microsoft first released Windows 11, it promised the OS would allow users to run Android apps, natively. However, users couldn’t do it directly from the Play Store and were rather pointed toward the Amazon App Store.
Soon enough, someone published a new tool to GitHub called Windows Toolbox. It provided many benefits, from debloating the operating system to activating both the OS and Office, to - installing the Play Store for the Android subsystem.
An elaborate trojan
The tool worked so well that it quickly blew up within the community, raking in downloads.
However, it seems that the tool worked a little too well.
As reported by Bleeping Computer, Windows Toolbox is actually a trojan that executes a “series of obfuscated, malicious PowerShell scripts” that install trojan clickers and maybe even other malware.
The script uploads information regarding the victim endpoint's geographic location to the developer, but other than that, its malicious behavior is relatively underwhelming, the publication claims.
All it does is generate revenue, by redirecting users to affiliate and referral URLs.
As if the developer never expected the tool to become so popular and didn’t bother building a more elaborate money-making scheme.
When users visit whatsapp.com, for example, the script will redirect them to a random URL that promotes different scams, such as https://tei.ai/hacky-file-explorer, https://tei.ai/pubg-for-low-spec-pc, or https://tei.ai/get-free-buck.
“The impact of the payload delivered by hits convoluted mess of scripts is so minor that it almost feels like something is missing,” the publication concludes.
Apart from the scripts, the tool indeed works as intended. It appears that it only targets victims living in the United States.
Via: BleepingComputer
