Source: Andy OS Inc

It has been reported that a GPU Miner Trojan is being installed along with the popular Andy Android emulator and its users are rightfully concerned. This miner reportedly will use the graphics processing unit, or GPU, on the computer's graphic's card in order to mine cryptocurrency.

In a post on Reddit by user named TopWire. it was stated that Andy was installing a GPU Miner Trojan without a user's knowledge.  This Miner would be installed as C:\Program Files (x86)\Updater\updater.exe and when launched would use up the GPU on the computer. The user also posted a YouTube video showing this behavior, which is displayed at the end of this article.

What is concerning is that the Reddit poster has stated that he has tried to bring this up to the Andy team via the Facebook user group numerous times and has been repeatedly kicked out each time. 

What happens when you install Andy?

When I downloaded and tested the current Andy executable, I automatically saw something that rang alarm bells. It was using an adware bundler for its installer, which are known to sometimes perform sneaky installs of miners onto user's computers without their knowledge or permission.

According to VirusTotal, the Andy installer is being detected as an InstallCore variant, which is a known adware installer that present users with various "offers" when installing free software. These installers allow developers of free software, such as Andy, to generate revenue each time someone installs their program.

When testing the current Andy installer, I was presented with offers for Avast, the Search Manager Chrome Extension, and WinZip, which I declined.

Installer Offer from Andy
Installer Offer from Andy

Even after declining all of these offers, a program was still installed on my test computer. Guess what? It was a file called C:\Program Files (x86)\Updater\updater.exe. For me, though, the program just generated an error when it was executed.

Updater.exe Error
Updater.exe Error

If this file is indeed a GPU miner, I could be receiving this error because I am running it on a virtual machine that does not have a dedicated graphics card on it. When scanning it using VirusTotal, it does not indicate that it is a miner.

The updater.exe file posted by the Reddit, though, is clearly detected as a Miner. Furthermore, when examining the strings found in the Updater.exe Miner variant posted on Reddit, its strings indicate it is one as well.


Where is the installer coming from? The installer or Andy?

When testing the Andy installer using the sandbox site Any.Run, you can see a file called GoogleUpdate.exe being executed. When executed with the command line "GoogleUpdate.exe /svc" it launches another program named UpdaterSetup.exe, which installs the Updater.exe program and configures it to automatically start when you log into Windows.

This GoogleUpdate.exe program has a description of "AndyOS Update", which indicates it's part of Andy. Why it is named GoogleUpdate is not known, but I feel it is strange.

GoogleUpdate.exe Description
GoogleUpdate.exe Description

Furthermore, the GoogleUpdate.exe file is code signed by "Andy OS Inc". This indicates that the file belongs to Andy OS Inc or at least was intentionally signed by them.

GoogleUpdate.exe Signed by Andy OS Inc
GoogleUpdate.exe Signed by Andy OS Inc

Finally the signature further indicates that it belong to Andy OS Inc.

Digital Signature
Digital Signature

As the GoogleUpdate.exe is signed using a signature that is owned by Andy OS Inc, it would indicate that this file it one that belongs to them.

While Bleeping Computer has not been able to corroborate that Andy is installing Miners onto user's computers, we could confirm that it is creating an Updater.exe executable as described by the Reddit user's post. For now, it is advised that users do not install Andy until further information is given by the Andy developers.

Below is the video created by TopWire that demonstrates what he saw when installing Andy.

Bleeping Computer has reached out to both the marketing contact and support contacts at Andy OS for comment, but have not heard back at the time of this publication.

This is a developing story and will be updated as more information becomes available.

Related Articles:

GPU-Z Can Now Detect Fake NVIDIA Graphics Cards

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads

Google Accidentally Pushed Internal November 2018 Security Update to Pixel User

Cheap Android Phones and Poor Quality Control Leads to Malware Surprise

Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones