A malicious app named “Album by Google Photos” was published by a developer in the Microsoft Store. The app disguises itself on the Microsoft app store as an official Google Photos app solution but is actually an ad clicker program that frequently opens hidden advertisements on Windows 10.
The developer has managed to use the publisher name as “Google LLC” claiming to be created by Google itself. Meanwhile, Google does not offer its apps through the Microsoft Store. This trick seems to be attempted by third-party developers who are trying to publish Google apps in the Windows store.
When the app was first posted to Microsoft Store over the weekend, some users had believed it to be a legitimate app from Google. However, some of the users posted reviews on the app page from Microsoft Store, warning about the ads it shows in the background. When users click on the ads that are hidden in the background, it turns out to be revenue for the developers of the malicious app.
This bundled ‘Ad Clicker’ application repeatedly connects to a remote computer to display hidden advertisements in the background. However, in the front end, the app appears to be as a legitimate “Album for Google Photos” app.
Security researcher examined the app bundle and found out that, the app folder contained three ad clicker files namely Block Craft 3D.dll, Block Craft 3D.exe, and Block Craft 3D.xr. Moreover, in the first login, the app displays a legitimate login screen from Google.
According to Bleeping computer report, the screen was a legitimate one from Google. Although researchers did not find any relations to credentials theft features included in the malicious app, it is still not recommended to use this app for logging into Google Photos.
After successful installation, the app connects to a malicious link to download configuration files, that contains settings on how often ads should be displayed, URL’s for the advertisement page etc.
Also, the application displays advertisement in the background without displaying it to the user. For instance, if an advertisement has audio, like a tech support scam saying “you are infected”, the user will not be able to hear it but not able to see it on the screen. Similarly, if the user's computer starts giving notification that it is infected, the user has no clue why or how the application is generating the warning, said the Bleeping Computer report.
The ads displayed were very similar to that of an adware malware. According to the Bleeping Computer report, some of the ads include tech support scams, unwanted chrome extensions, fake Java and Flash installer, blogs who are buying traffic and other low-quality sites.
It is still unclear how the fake app tricking to be from legitimate Google LLC could pass the Microsoft verification process. However, following reports from many users, Microsoft has already removed the app from Microsoft Store, and hence it can no longer be installed.
Publisher