A sizeable amount of Windows 11 installs are potentially compromised after it emerged that a third-party Windows 11 ToolBox script which has been used to add the Google Play Store to the Android Subsystem was secretly infecting users with malicious scripts, Chrome extensions, and potentially other malware.
Back when Microsoft announced Windows 11 to the world. One of the main highlights was that the OS will be able to tun native Android apps directly from within the system.
Fast-forward to its release, potential users were left disappointed to say the least as they could not use Windows 11 with Google Play. Instead, they were stuck with apps from the Amazon App Store.
The Amazon App Store is not bad by any means, but the Android ecosystem is highly reliant on Google and Google Play Services, making the Windows 11 integration with the Amazon App Store not satisfying to all users. There is also the fact that the Amazon App Store only contains a fraction of the number of apps that are found on the Play Store.
These unsatisfied users began searching for ways that would let them add the Google Play Store to Windows 11, and that is where some of them got caught by the malware-ridden third-party tool which promised to do what they wanted, and more.
The new tool, Windows Toolbox got its release on GitHub promising several features including the ability to debloat Windows 11, activate Microsoft Office and Windows, and also install Google Play Store for the Android subsystem.
According to unsuspecting users, this was probably as close to perfection as they would get from a free tool. It was only a matter of time before it got its popularity thanks to the sharing nature of tech enthusiasts and also several tech websites covering the third-party tool, not knowing that it was doing sinister things under the hood.
However, there has been a change of tune regarding the Windows Toolbox over the past week after a few users discovered that the tool was a front for a very clever malware attack.
The Windows Toolbox did all it promised, however, it also had hidden PowerShell code that would retrieve various scripts and use them to execute commands and download files on an infected PC.
From the code on GitHub, it seems like the malware scripts primarily targeted users in the USA and also created numerous Scheduled Tasks. These Scheduled Tasks were then used to configure various variables, create other scripts to be run by the tasks and also kill a few system processes.
While the malware did an impressive job of hiding itself within the Windows Toolbox, its effect on the infected PC does not match this proficiency. This is because while the tool uploaded the geographical location of the infected PC, the main purpose of the tool seems to be generating revenue by redirecting users to affiliate and referral URLs.
For instance, when users visit whatsapp.com, the tool will redirect them to random URLs which contain “make money” scams, browser notifications scams, and promotions of unwanted software.
However, with the clever means that this malware was hidden, a bigger threat may have been hidden more carefully that it is not yet uncovered. If you have used the tool to get the Play Store running on your Windows 11 PC, a clean reinstallation of Windows 11 is the only way to be sure you have gotten rid of the malware.
