A popular Windows 11 ToolBox script used to add the Google Play Store to the Android Subsystem has secretly infected users with malicious scripts, Chrome extensions, and potentially other malware.
When Windows 11 was released in October, Microsoft announced that it will allow users to run native Android apps directly from within Windows.
This feature was exciting for many users, but when the Android for Windows 11 preview was released in February, many were disappointed they could not use it with Google Play and were stuck with apps from the Amazon App Store.
While there were ways to use ADB to sideload Android apps, users began looking for methods that let them add the Google Play Store to Windows 11.
Around that time, someone released a new tool called Windows Toolbox on GitHub with a host of features, including the ability to debloat Windows 11, activate Microsoft Office and Windows, and install Google Play Store for the Android subsystem.
The Windows Toolbox was actually a Trojan that executed a series of obfuscated, malicious PowerShell scripts to install a trojan clicker and possibly other malware on devices.
Mitigation:
For those who ran this script in the past and are concerned they may be infected, you can check for the existence of the above-scheduled tasks and the C:\systemfile folder.
If these are present, delete the associated tasks, the systemfile folder, and the Python files installed as C:\Windows\security\pywinvera, C:\Windows\security\pywinveraa, and C:\Windows\security\winver.png.
Source: BleepingComputers