Powershell Windows Toolbox is an interesting-sounding app that promises to install the full Google Play Store on Windows 11. However, according to a new report by Bleeping Computer, the app is putting malware onto systems instead.
Part of the problem here is that Powershell Windows Toolbox may seem like a real Microsoft app to some users. After all, it has both Windows and Powershell in its name, two Microsoft services. It seems that is part of the trick as the app is infecting systems.
It was available on GitHub to put the Google Play Store on Windows 11, taking advantage of the platform's Windows Subsystem for Android feature. That is the underpinning of Microsoft's support for Android apps on Windows 11.
The app also made the claim to remove bloatware from Windows. Instead of doing what is promised, the tool was a virus and executing unseen PowerShell (notice the subtle difference between Microsoft's “PowerShell” and the app's “Powershell”).
Those scripts would run in the background on Windows 11 and install a trojan clicker. Once installed, the clicker pings Cloudflare servers to execute commands and place malware files onto the target device. It will also sometimes send the user to scam URLs.
It is also worth noting the app also does what it says it would… install Google Play and debloat Windows 11. Clearly, this is a relatively sophisticated attack that looks legitimate while also targeting systems. Powershell Windows Toolbox has since been removed from GitHub.
If you have already used the app, it is worth checking out Bleeping Computer's list of C:\systemfile you should delete. Doing a clean install of Windows may also remove all traces of the infection, as could restoring from a backup.
The obvious takeaway here is to be very careful about which third-party tool you install on Windows. Yes, most of them will help to improve your experience but do some research to ensure the apps you install are legitimate and/or truly helpful.
Tip of the day: The Windows Sandbox gives Windows 10/11 Pro and Enterprise users a safe space to run suspicious apps without risk. In out tutorial we show you how to enable the Windows Sandbox feature.