A malicious app called "Album by Google Photos" was found in the Microsoft Store today that pretends to be from Google. This app pretends to be part of Google Photos, but is actually an ad clicker that repeatedly opens hidden advertisements in Windows 10.
This free Album by Google Photos app claims to be created by Google LLC and has a description of "Finally, a photos app that's as smart as you.". You can see an image of its Microsoft Store page below.
As this is an ad clicker, the reviews for the app are not very good. One review calls it a "Fake App" and another is titled "Fake, do not install".
Below we will dig down and explain how the ad clicker works and the types of advertisements that are displayed.
The Album by Google Photos app is a PWA app (progressive web app) that acts as a front end to Google Photos, but with a bundled ad clicker. While the app is running, this ad clicker will repeatedly connect to remote hosts and display advertisements in the background in order to generate revenue for the developers.
The ad clicker component consists of three files located in the app's folder called Block Craft 3D.dll, Block Craft 3D.exe, and Block Craft 3D.xr. You can see these files in the image of the folder below.
When a user starts the Album by Google Photos app they will be greeted by a screen asking them to login to Google Photos. This is a legitimate login screen from Google and though I did not see any indications that your logins are being stolen, I would still not advise logging into Google Photos with this app.
In the background, the app will then connect to http://11k.online/Ad/constants/9n0wkj6hpz86.json and download a configuration file. This configuration file, shown below, contains settings on how often ads should be displayed, the URLs to the advertisement pages, and more. The configuration file also indicates that ads may be displayed directly in the app, but BleepingComputer did not see any when testing the app.
After the app reads the configuration file, it will connect to the various "AdBanner" URLs and display them in the background. You can see in the Fiddler traffic below the app connecting to each of the ad URLs.
When displaying an advertisement, it will do so in the background and not display it to the user. So if the advertisement has audio, like a tech support scam stating your infected, the user will hear it but not be able to see where it is coming from. This can be eerie when your computer starts telling you that it is infected because of a tech support scam ad, but you see no indication what application is generating the warning.
When testing the ad URLs from the configuration file, the advertisements that were displayed were very similar to what we would see from adware. These ads included tech support scams, tons of pages pushing unwanted Chrome extensions, fake Java and Flash installers, blogs who are buying traffic, and other low quality sites.
For example, below you can see a tech support scam opened by the app that is pushing an unwanted system optimizer program by stating Windows is vulnerable.
It is not known how an app like this could have passed the review process by Microsoft considering it pretends to be from Google. Furthermore, as the reviews state that this is malware or malicious, you would think it would have triggered an alert to review it further.
BleepingComputer has contacted Microsoft with questions regarding the review process, but had not heard back from Microsoft by the time of this publication. This article will be updated with Microsoft's statement if we hear back from them.