A malicious application called "Album by Google Photos" was found in the Microsoft Store today, pretending to be created by Google. So while it's supposed to be part of Google Photos, it's an ad clicker that automatically opens repeated hidden ads.
But quite a few are the users who have downloaded and used the application, and from the reviews that appear in the Microsoft Store, we understand that this is not an innocent application.
Album by Google Photos is a progressive web application that works like Google Photos, but with a built-in ad clicker. As the application runs, the hidden ad clicker loads ads and clicks on them, generating revenue for their developers.
The ad clicker add-on consists of 3 extra files that can be found in the application folder. The application names are 3D.dll, Block Craft 3D.exe and Block Craft 3D.xr.
When the application is run, the user must log in to his account. The form displayed appears to be Google's official form, and after checking we did not find that the application is stealing user credentials. However, we would not suggest connecting.
After the user logs in, the application connects to an address and downloads a configuration file containing settings such as the frequency of uploading ads. After the application reads the configuration file, it starts running. After running, ads are hidden, without the user being able to see them. This means when the ads lead to tech support scams, where they play sounds and say that the computer is infected, the user can hear it, but not see the page.
It is not yet known how Microsoft's security controls passed this application, but we hope it will be removed as soon as possible.