Powershell Windows Toolbox helps to install Google Play on Windows 11 is malicious code

A third-party tool used to install the Google Play Store on Windows 11, among other functions, has been found to be malicious. Quite a few people have become victims when using this tool to install the Play Store.

This tool called "Powershell Windows Toolbox" has been posted to GitHub and LinuxUserGD users have noticed that the hidden lines of code are very confusing and contain malicious bits. Then other users continued to report problems related to this tool. Powershell Windows Toolbox has now been removed from GitHub.

Here's what the tool claims it can do:

Powershell Windows Toolbox helps to install Google Play on Windows 11 is malicious code Picture 1Powershell Windows Toolbox helps to install Google Play on Windows 11 is malicious code Picture 1

First, the tool uses Cloudflare workers to load a script. In the How to user section of the tool, the developer instructs the user to run the following command in the CLI:

Powershell Windows Toolbox helps to install Google Play on Windows 11 is malicious code Picture 2Powershell Windows Toolbox helps to install Google Play on Windows 11 is malicious code Picture 2

While the script is being loaded, code scrambling is also performed. After overturning the obfuscation, experts discovered that these are lines of code used to download malicious scripts from Cloudflare workers and files from user alexrybak0444's GitHub repo. This repo has also been reported and removed.

Powershell Windows Toolbox helps to install Google Play on Windows 11 is malicious code Picture 3Powershell Windows Toolbox helps to install Google Play on Windows 11 is malicious code Picture 3

The scripts then create an extension for Chromium-based browsers. This is believed to be the main malicious component of this malware distribution campaign. It appears to be that certain links or URLs are used to generate revenue through afiliates and referrals by promoting certain software or scams through Facebook and WhatsApp messages.

If you happen to install Powershell Windows Toolbox you need to remove the following components from your computer. Here's what the malware adds during the infection:

  1. MicrosoftWindowsAppIDVerifiedCert
  2. MicrosoftWindowsApplication ExperienceMaintenance
  3. MicrosoftWindowsServicesCertPathCheck
  4. MicrosoftWindowsServicesCertPathw
  5. MicrosoftWindowsServicingComponentCleanup
  6. MicrosoftWindowsServicingServiceCleanup
  7. MicrosoftWindowsShellObjectTask
  8. MicrosoftWindowsClipServiceCleanup

At the same time, you also need to delete the hidden folder "C:systemfile" created by the malicious code during the intrusion. In case you do a system restore make sure you use a recovery file that is not created by the Powershell Windows Toolbox as it will not remove the malware.

However, before installing the Google Play Store, TipsMake.com notes you: according to Microsoft, to run Android apps on Windows 11 you need a computer with relatively high configuration. 

4 ★ | 2 Vote