After running the Andy OS installer and declining all offers, it appears to install a program called ‘Updater.exe’ via a false ‘GoogleUpdate.exe’, before setting it to run at startup. According to BleepingComputer’s Lawrence Abrams, GoogleUpdate.exe has a description of “AndyOS Update’ and is code signed by the company, showing that the company either created the file or intentionally signed it. The file’s signature also belongs to Andy Inc., making it likely the company is aware of the process.
Further, TopWire says: “A friend opened Andy in process explorer to see the files it drops upon installation. By the looks of things, the installer isn’t at fault. Andy itself calls an IP which then transfers the bitcoin miner to your system.”
Andy OS Response
So far, Andy OS is yet to make an official statement on the matter, though an executive at the company allegedly told TopWire that the crypto miner comes via their third-party installation file. After seeking answers on Facebook, the Reddit user was removed from the support group several times. Though the installation of a crypto miner hasn’t been confirmed definitively by a third-party, Adams confirms that the file provided by TopWire contains strings referencing mining. Additionally, VirusTotal marks the installer as an InstallCore variant and updater.exe as a miner. Andy support says it’s investigating the issue but is yet to remove the installer from its site.