Windows 11: beware of this application to install the Google Play Store, it is malware

Users on GitHub have discovered that a tool to install the Google Play Store on Windows 11 actually contained malicious scripts.

The tool, called Powershell Windows Toolbox, has since been removed from GitHub.

An attractive “all-in-one” tool

Excitement quickly turned to disappointment for Windows 11 users when it was revealed that the addition of Android apps came through the understocked Amazon App Store. Several of them have therefore tried to circumvent this limitation and install the Google Play Store on their operating system. One tool in particular caught the attention of some users: Powershell Windows Toolbox. However, according to several GitHub users who reviewed the tool, it installed malware.

In addition to installing Google Play Store on Windows 11, the tool offered to automatically uninstall and remove preinstalled applications, activate Microsoft Office and Windows, or deactivate OneDrive and the Microsoft Store. A tempting proposition for several users who have therefore installed it.

Well-hidden malware

To run Powershell Windows Toolbox, the developer required users to enter a PowerShell command that retrieved a script from a Cloudflare worker. It was this script that allowed Windows Toolbox to perform the various operations promised. But it also contained obfuscated code that several users discovered concealed PowerShell code. This code allowed the tool to grab malicious scripts from other Cloudflare workers and from files from a GitHub repository.

It was not possible to determine exactly what Powershell Windows Toolbox was trying to do on the computers of its victims, because several resources called by the malware are now inaccessible. However, it was found to create a Chromium extension that ran a new script on browser launch. This script would seem to have the main purpose of generating revenue for the developer. It does this by redirecting victims to paid links and scam sites that promise easy money-making methods, display advertisements for software, and use browser notifications to promote scams.

According to BleepingComputer, the malware collected information about the victim’s location, and only users in the United States were targeted. However, if you have downloaded the tool, it is still necessary to check if it has not created the following scheduled tasks:

• MicrosoftWindowsAppIDVerifiedCert

• MicrosoftWindowsApplication ExperienceMaintenance
• MicrosoftWindowsServicesCertPathCheck
• MicrosoftWindowsServicesCertPathw
• MicrosoftWindowsServicingComponentCleanup
• MicrosoftWindowsServiceServiceCleanup
• MicrosoftWindowsShellObjectTask
• MicrosoftWindowsClipServiceCleanup

It will also be necessary to check the presence of the hidden folder C:systemfile and the files C:Windowssecuritypywinvera, C:Windowssecuritypywinveraa, C:Windowssecuritywinver.png and delete them. If you want to restore your system from a restore point, make sure you are not using the one created automatically by Powershell Windows Toolbox when it is first used.

Source : BleepingComputer