A popular method of adding Google’s Play Store to Windows 11’s Android subsystem was actually an elaborate trick to get people to download shoddy, almost amateurish malware.
When Microsoft first released Windows 11, it promised that the operating system would allow users to run Android apps natively. However, users could not do this directly from the Play Store and instead were directed to the Amazon App Store.
Soon someone released a new tool on GitHub called Windows Toolbox. It offered many benefits, ranging from removing the operating system, activating both the operating system and Office, and installing the Play Store for the Android subsystem.
An elaborate Trojan horse
The tool performed so well that it quickly exploded within the community, raking in downloads.
However, it seems that the tool worked a bit too well.
As reported by beeping computerWindows Toolbox is actually a Trojan that runs a “series of obfuscated and malicious PowerShell scripts” that install Trojan clickers and possibly other malware.
The script uploads information regarding the geographical location of the victim terminal to the developer, but other than that, its malicious behavior is relatively disappointing, according to the post.
All it does is generate revenue, by redirecting users to affiliate and referral URLs.
As if the developer did not expect the tool to become so popular and did not bother to build a more elaborate plan to earn money.
When users visit whatsapp.com, for example, the script redirects them to a random URL that promotes different scams, such as https://tei.ai/hacky-file-explorer, https://tei.ai/pubg-for-low-spec-pcor https://tei.ai/get-free-buck.
“The payload impact provided by convoluted script hits is so minor that it almost feels like something is missing,” the post concludes.
Other than the scripts, the tool actually works as expected. It appears to only target victims living in the United States.