loader gif

Andy Android emulator could be secretly installing a GPU cryptominer

account,anonymous,antivirus,attack,authentication,black,blue,burglary,computer,could,crime,criminal,cyber,cybercrime,cybercriminal,data,ddos,download,downloading,false,finger,firewall,fraud,hacker,hacking,identification,identify,identity,illegal,internet,keyboard,light,malware,networking,passwords,phishing,security,spyware,steal,theft,thief,tracks,unrecognizable,virus,web

A GPU Miner Trojan is reportedly being installed along with the popular Andy Android emulator without users’ knowledge. Reddit users have reported Andy has been secretly installing the miner that uses the graphics processing unit (GPU) of the targeted computer to mine cryptocurrency.

A Reddit user going by the name TopWire reported the Miner gets installed as C:\Program Files (x86)\Updater\updater.exe and when launched would use up the GPU on the computer. The malware also uses an adware bundler for its installer, which are known to quietly install miners onto users’ computers without their knowledge or permission, Bleeping Computer reports.

“I noticed that in every single game I played I suffered major FPS drops at seemingly random times. I checked my GPU usage and temps and noticed they were working at roughly 80% load and 80+ degrees C whilst gaming,” TopWire noted. “Very unusual for my setup. I opened task manager and sorted it via what was using the most GPU power and found a process named 'updater.exe'. After further inspection I noticed that this installed along with Andy.”

According to VirusTotal, the installer has been detected as a a variant of InstallCore which works as an adware installer and lures users with special offers to install free software. In this way, the installer allows the developers of free software to generate revenue every time someone installs their program.

When BleepingComputer tested the Andy installer using the sandbox site Any.Run, a file called was found to be executed. Another program named UpdaterSetup.exe is then launched to install a program that is configured to automatically start when a user logs into Windows. This GoogleUpdate.exe program reportedly has a description of "AndyOS Update' while the GoogleUpdate.exe file is code signed by “Andy OS Inc”, which could indicate that it is a part of Andy.

TopWire claimed that he repeatedly tried to report the issue to the Andy team via the Facebook user group multiple times. However, he said he was removed from the group.

Users have been advised not to install Andy until the developers provide additional information

loader gif