Android emulator Andy OS seems to be secretly installing a Bitcoin miner
Cryptocurrency mining malware has become a serious problem recently, and it seems the latest people to fall victim to the threat are users of the Android emulator Andy OS -- also referred to as AndY and Andyroid.
The emulator makes it possible to run Android software within Windows or macOS, but it appears that the installation harbors a dark secret -- a GPU miner trojan that secretly mines for Bitcoin. Over on Reddit there are large numbers of upset users trying to find out what's going on.
- Bitcoin plummets after hackers steal $37 million from South Korean cryptocurrency exchange Coinrail
- Apple slaps a ban on cryptocurrency mining apps
- Running Kodi on Amazon Fire TV or Fire TV Stick? You're at risk from cryptocurrency mining malware
The issue was discovered over the weekend by Reddit user TopWire who became suspicious about GPU usage after installing Andy. With a little investigation, he came to the conclusion that a cryptocurrency miner was to blame, visible as the process updater.exe. Reporting the issue to the developers of the emulator resulted in a mixture of stories and, ultimately, TopWire being blocked from the support forums.
The full story is shared Reddit, and TopWire has created a video of his findings:
As Andy uses a third-party installer, there are suggestions that this is to blame for the miner rather than the emulator itself, but the concern is about the development team's apparent lack of interest in -- and transparency about -- the matter.
Over on Bleeping Computer, Lawrence Abrams did a bit of investigating. He noted that even when declining all of the bundled adware offered up by Andy's installer, it seemed that the miner was installed. He also notes that VirusTotal has marked the installer as an InstallCore variant with various warnings attached to it, and that the updater.exe file is detected as a cryptocurrency miner.
If you have Andy installed and you're concerned, TopWire suggests the following steps for completely removing it from your computer:
- Close every Andy-related process via task manager.
- Uninstall Andy via Windows
- Look for a process named 'Updater' (This is the miner and surprisingly enough won't be uninstalled when you uninstall Andy! Would you believe it!)
- Right click that process and click 'Go to details'
- Right click 'exe' in details and click 'End process tree'
- Navigate to C:\Program Files (x86)
- Click once on the folder named 'Updater' and then press Shift+Delete
- Click once on the folder named 'AndyOS' and then press Shift+Delete
- Recheck task manager to confirm no more Andy services are running
- Download Malwarebytes and perform a full system scan to check if anything was missed
- Download CCleaner and do a registry fix. Multiple Andy registry entries will be found. Delete these and scan again to ensure that nothing was missed