据报道，GPU挖矿木马正在与流行的Andy安卓模拟器一起安装，这个挖矿木马使用计算机图形卡上的图形处理单元或GPU来挖掘加密货币。据一名用户反应Andy在用户不知情的情况下安装了GPU挖矿木马。这个木马启动时会占用计算机的GPU。

It has been reported that a GPU Miner Trojan is being installed along with the popular Andy Android emulator and its users are rightfully concerned. This miner reportedly will use the graphics processing unit, or GPU, on the computer's graphic's card in order to mine cryptocurrency.

In a post on Reddit by user named TopWire. it was stated that Andy was installing a GPU Miner Trojan without a user's knowledge.  This Miner would be installed as C:\Program Files (x86)\Updater\updater.exe and when launched would use up the GPU on the computer. The user also posted a YouTube video showing this behavior, which is displayed at the end of this article.

What is concerning is that the Reddit poster has stated that he has tried to bring this up to the Andy team via the Facebook user group numerous times and has been repeatedly kicked out each time. 

What happens when you install Andy?

When I downloaded and tested the current Andy executable, I automatically saw something that rang alarm bells. It was using an adware bundler for its installer, which are known to sometimes perform sneaky installs of miners onto user's computers without their knowledge or permission.

According to VirusTotal, the Andy installer is being detected as an InstallCore variant, which is a known adware installer that present users with various "offers" when installing free software. These installers allow developers of free software, such as Andy, to generate revenue each time someone installs their program.

When testing the current Andy installer, I was presented with offers for Avast, the Search Manager Chrome Extension, and WinZip, which I declined.

Even after declining all of these offers, a program was still installed on my test computer. Guess what? It was a file called C:\Program Files (x86)\Updater\updater.exe. For me, though, the program just generated an error when it was executed.

If this file is indeed a GPU miner, I could be receiving this error because I am running it on a virtual machine that does not have a dedicated graphics card on it. When scanning it using VirusTotal, it does not indicate that it is a miner.

The updater.exe file posted by the Reddit, though, is clearly detected as a Miner. Furthermore, when examining the strings found in the Updater.exe Miner variant posted on Reddit, its strings indicate it is one as well.

{"id":%llu,"jsonrpc":"2.0","method":"submit","params":{"id":"%s"
Unauthenticated
[0m
,"job_id":"%s","nonce":"%s","result":"%s","inst_date":"%s","userID":"%s"}}
[31m
[33m
job_id
[01;37m
target
job
[01;30m
blob
coin
coin
variant
variant

Where is the installer coming from? The installer or Andy?

When testing the Andy installer using the sandbox site Any.Run, you can see a file called GoogleUpdate.exe being executed. When executed with the command line "GoogleUpdate.exe /svc" it launches another program named UpdaterSetup.exe, which installs the Updater.exe program and configures it to automatically start when you log into Windows.

This GoogleUpdate.exe program has a description of "AndyOS Update", which indicates it's part of Andy. Why it is named GoogleUpdate is not known, but I feel it is strange.

Furthermore, the GoogleUpdate.exe file is code signed by "Andy OS Inc". This indicates that the file belongs to Andy OS Inc or at least was intentionally signed by them.

Finally the signature further indicates that it belong to Andy OS Inc.

As the GoogleUpdate.exe is signed using a signature that is owned by Andy OS Inc, it would indicate that this file it one that belongs to them.

While Bleeping Computer has not been able to corroborate that Andy is installing Miners onto user's computers, we could confirm that it is creating an Updater.exe executable as described by the Reddit user's post. For now, it is advised that users do not install Andy until further information is given by the Andy developers.

Below is the video created by TopWire that demonstrates what he saw when installing Andy.

Bleeping Computer has reached out to both the marketing contact and support contacts at Andy OS for comment, but have not heard back at the time of this publication.

[出自:jiwo.org]