There is news making round the waves that the popular Andy OS Android emulator is now installed along the GPU Miner Trojan and users are worried about this development. According to reports, in order to mine cryptocurrency with the computers graphics card, this miner will make use of GPU or graphics processing unit.
According to a post in reddit by TopWire, he disclosed that Andy was installing a GPU Miner Trojan without the prior knowledge of the users. He stated that this Miner would use the GPU on the computer when launched as it would be installed as “C: \Program Files (x86)|Update|updater.exe”. The poster also backed his claim with a video on Youtube at the end of his post.
Another source of concern about this is the fact the Reddit user has tried to reach the Andy team via there group in facebook many times but has not received any response. He is always ignored each time he talks about the issue. Now let’s take a look at the effects of installing Andy.
What are the effects of Andy OS Android emulator?
I saw something that rang alarm bells when I installed and checked the latest Andy executable. Adware bundler was used when downloading it. This adware bundler is most times known to perform tricky installs of miner unto user’s computer without them knowing and without seeking their permission. \
VirusTotal stated that Andy installer is shown as an InstallCore variant and this is a well known Adware installer which gives users different “offers” when they are downloading free software. Also, to generate revenue when someone installs there program, the developers are allowed access to free software like Andy.
According to the reddit user, he got requests from Avast, the search Manager Chrome Extension and WinZip when he was testing the current Andy installer. He declined the offer. This can be seen in the image below:
According to the reddit user, a program was still installed on his test computer even after he rejected the offer. It was a file named “C: Program Files (x86)|Updater|updater.exe”. For him, the program brought an error when it was run as can be seen in the picture below;
I could receive this error since I am testing it on a virtual machine which doesn’t have dedicated graphics card, if this file is a GPU miner said the reddit user.
The updater.exe file that the reddit user posted is well known as a Miner but when accessing the strings in the Updater.exe Miner variant that the reddit user posted, the strings are seen as one too.
Now let’s take a closer look at where this Andy installer is emanating from.
Do you know how to figure out where the Installer is coming from?
Use the sandbox site Any.run to test the Andy installer. Then run it and you will see a filed named “GoogleUpdate.exe” being executed. While it is executing “GoogleUpdate.exe /svc”, you will see that a program named UpdateSetup.exe is being launched which installs the Updater.exe program and configures it automatically and it starts when you log into your windows. Also, you will see this description “AndyOS Update” to this GoogleUpdate.exe program which shows that it is part of Andy. I think that something is fishy while it is named GoogleUpdate said the reddit user
A further investigation indicates that the GoogleUpdate.exe file is being endorsed by “Andy OS Inc” . It only shows that it is Andy OS Inc that owns the file or that the files was signed by them.
Now, taking a closer look at that signature indicates that it is Andy OS Inc that owns it
Bleeping computer, which has been investigating this issue, has not been able to confirm what the Reddit user said about Andy installing miners on users’ computer. But we can see that they are creating an Update.exe file as stated by the Reddit user. It is advisable for users to avoid Andy OS and related products until Andy comes out to clarify the issue.