Author: Mayank Sharma
- A malicious tool pushed malware in the guise of simplifying the installation of Android apps in Windows.
- The tool worked as advertised, so it didn’t raise any red flags.
- Experts suggest people handle any software downloaded from third-party sites with utmost care.
mustafahacalaki / Getty Images
Just because the open source software’s code is available for anyone to see, it doesn’t mean that everyone takes a look at it.
Taking advantage of this, hackers co-opted a third-party Windows 11 ToolBox script to distribute malware. On the surface, the app works as advertised and helps add the Google Play Store to Windows 11. However, behind the scenes, it also infected the computers it was running on with all kinds of malware.
"If there is any sort of advice that could be taken from this, it is that grabbing code to run off the internet demands extra scrutiny," John Hammond, Senior Security Researcher at Huntress, told Lifewire over email.
One of the most eagerly anticipated features of Windows 11 was its ability to run Android apps directly from within Windows. However, when the feature was finally released, people were restricted to installing a handful of curated apps from the Amazon App Store and not the Google Play Store as people had hoped. There was some respite since the Windows Subsystem for Android allowed people to sideload apps with the help of Android Debug Bridge (adb), in essence allowing the installation of any Android app in Windows 11. Apps soon began to pop up on GitHub, such as the Windows Subsystem for Android Toolbox, which simplified installing any Android app in Windows 11. One such app called the Powershell Windows Toolbox also offered the ability along with several other options, for instance, to remove bloat from a Windows 11 installation, tweak it for performance, and more. However, while the app worked as advertised, the script was secretly running a series of obfuscated, malicious PowerShell scripts to install a trojan and other malware. "If there is any sort of advice that could be taken from this, it is that grabbing code to run off the internet demands extra scrutiny."
The script’s code was open source, but before anyone bothered to look at its code to spot the obfuscated code that downloaded the malware, the script had clocked hundreds of downloads. But since the script worked as advertised, no one noticed something was amiss.
Using the example of 2020’s SolarWinds campaign that infected multiple Government agencies, Garret Grajek, CEO of YouAttest, opined that hackers have figured out the best way to get malware into our computers is to have us install it ourselves.
"Be it through purchased products like SolarWinds or through open source, if the hackers can get their code into 'legitimate' software, they can save the effort and expense of exploiting zero-day hacks and looking for vulnerabilities," Grajek told Lifewire via email.
Nasser Fattah, North America Steering Committee Chair at Shared Assessments, added that in the case of the Powershell Windows Toolbox, the trojan malware delivered on its promise but had a hidden cost.
"Good trojan malware is one that provides all the capabilities and functions that it advertises it does… plus more (malware)," Fattah told Lifewire over email.
Fattah also pointed out that the project’s use of a Powershell script was the first sign that spooked him. "We need to be very cautious of running any Powershell scripts from the internet. Hackers have and will continue to leverage Powershell to distribute malware," warned Fattah.
Hammond agrees. Perusing through the documentation of the project that’s now been taken offline by GitHub, the suggestion of starting a command interface with administrative privileges, and running a line of code that fetches and runs code from the Internet, is what set off the warning bells for him.
David Cundiff, chief information security officer at Cyvatar, believes there are several lessons people can learn from this normal-looking-with-malicious-insides software. "Security is a shared responsibility as described on GitHub’s own security approach," pointed out Cundiff. "This means that no one entity should rely completely on a single point of failure in the chain."
Bill Hinton / Getty Images
Furthermore, he advised that anyone who downloads code from GitHub should keep their eyes peeled for warning signs, adding that the situation will repeat itself if people operate under the assumption that everything will be in order since the software is hosted on a trusted and reputable platform.
"While Github is a reputable code sharing platform, users can share any security tooling for good, as well as evil," agreed Hammond.