A GPU Miner Trojan is reportedly being installed alongside an Android emulator called Andy in the computers of unsuspecting users. The miner is using people’s GPUs to mine cryptocurrency.
A Reddit thread created by a user named TopWire details how Andy is installing the GPU miner. It mentions that the miner is being installed after creating the following file directory: “C:\Program Files (x86)\Updater\updater.exe”. Once installed, it reportedly began hogging the users’ GPU resources to mine cryptocurrency.
TopWire says he even tested the Andy executable file (updater.exe) by installing it on his computer. The program was installed through an adware bundle, according to the Redditor. Quite often, these bundles install miners on people’s computers without their permission and without them even noticing, until of course their processor is exhausted. VirusTotal, a subsidiary security company of Google Inc., notes that users’ operating systems are inaccurately detecting the Andy installer as a popular adware installer, which is variation of InstallCore.
The InstallCore variant usually gives users “offers” while installing its free software packages. These “offers” help developers get paid for creating free software like the Andy Android emulator. TopWire noted that he received various offers that he did not accept.
Despite rejecting these, the updater.exe file made its way onto his machine’s hard drive. However, TopWire added that the program just gave him an error message soon after it was executed. This, per TopWire, as he was running a virtual machine to run it, which didn’t give it access to a graphics card.
The Redditor revealed he attempted to contact the software’s developers through their official Facebook group, however, his comments were ignored and he was even banned from the group. Moreover, the VirusTotal scanner does not detect the program as a miner. Interestingly, a VirusTotal scan of the updater.exe file shared on Reddit does detect the updater.exe file as a miner.
Those who tested the Andy installer on Any.run, a website that provides live access to virtual machines, saw a GoogleUpdate.exe file being run.
Checking its description shows it is labeled as “AndyOS Update”, suggesting a link to Andy. Why is the file called GoogleUpdate is unclear. Interestingly, GoogleUpdate.exe’s source code is marked by an “Andy OS Inc” signature. This suggests that either Andy OS Inc purposely signed the file and/or was the file’s author.
The redditor created a video on what happened to his system after installing the Android emulator. Redditor Lawrence Abraham, a writer at Bleeping Computer who’s been investigating this issue, posted an update that reveals he asked the emulator’s staff why they’re still serving infected files.
After seeing that comment, and probably after seeing this reddit thread they've removed me from the group. A friend opened Andy in process explorer to see the files it drops upon installation. By the looks of things, the installer isn't at fault. Andy itself calls an IP which then transfers the bitcoin miner to your system.