Our Malware Lab recently conducted an in-depth analysis on "Wallpapers Engine"an application distributed free of charge through the Microsoft Store.
Although it presents itself as a customisation tool for the Windows environment, the app incorporates within it a number of adware components aimed at distributing potentially unwanted content, such as invasive and potentially fraudulent advertisements, and behaviour that could convey arbitrary code via a C2 server.
During our analysis, it emerged that the application is an advertising campaign vehicle that displays false warnings about problems in the system with the aim of inducing the user to install a PC cleaning application. The final payload is software that follows a pay-as-you-go model on practically every feature required to solve non-existent problems.
The survey showed that a large part of the functionality offered was derived from legitimate open-source softwareintegrated into the app to simulate apparent reliability, but in all likelihood in violation of the relevant licences.
The most striking aspect is that the campaign was orchestrated by a publisher operating through a single account and always using the same unique identifier to sign the final Potentially Unwanted Program (PUP). This is a clear sign of a coordinated and repeated operation, and not an isolated case, aimed at exploiting the Microsoft Store ecosystem for circumvention and profit.
We believe that the invasive techniques used by this app should not be allowed on an official store, which is why Microsoft was warned before the report was published. However, we have not yet received a response, while the app is still available for download.
If you wish to learn more, here is the link to our full report.
In addition, you can subscribe to the Cyber Studios by Tinexta Defence mailing list to receive updates on upcoming reports:
