Chinese Android emulator LDPlayer has been in some hot water recently regarding a suspicious file found in their database.
To start, u/TheImmortalMaster shared info on r/LastCloudia regarding the emulator installing "multiple crypto miners".
I installed it to reroll a few accounts and even through a sandbox it managed to rewrite multiple windows system files along with plenty pg shady work within the box like additional unrelated DLLs being run under svchost and multiple randomly generated name exes with no relation to the players function...
I'm no cyber security specialist, but I know a miner when I see one, and I am certain the further additions are not for my benefit given manual removal only improved the function of the emulator itself(Less crashes, and dramatically lower resource usage)... after extensive repairs and removing the players access to trustedinstaller I think I have this contained, but I do plan on finding a new player, or a reverse engineered version of one of the popular ones(which all have some form of spyware/crypto miner at this point) without the bs. After transferring my account I'll be doing a fresh install of windows myself.
Also I used the installer from their main page, and while the infected files do not trigger any detections yet they are in fact malicious miners and spyware as far as I can tell. Strangely enough many users reported that some of the potential viruses(fyservice in my experience) never actually ran even after being installed perhaps set to trigger later in order to avoid user association with the player installation.
All in all the damage seems pretty extensive, not worth the effort to attempt to manually repair at least based on my skill level.
The post was quickly shared to r/GachaGaming, where users were instructed to delete a specific file to disable the mining, fyservice.exe.
Several days later, Redditor u/serrres messaged LDPlayer directly via Facebook, where they received notice to "just ignore" the situation.
A second and third screenshot of a conversation revealed the unraveling of responses from LDPlayer, which ended in "no hack / no add / you are banned".
A meme was generated that reached the top of the subreddit:
The fyservice.exe is not a cryptominer but just an adware which only triggers pop-up image ads when you initialize LDPlayer. While adware would be false considered as malware, we will release new version to solve the false report from antivirus software. We understand that our users really care about their security and we also do, and it's okay to check the full package of LDPlayer. But to be clear, we will not put any truly harmful virus or malware into our emulator. We know that compared to other emulators, LDPlayer is just on its developing phase and there's still a long way to reach the edge. (This is the worst strategy for us, even for any software, to affiliate LDPlayer with any malware) Our first priority is to focus on developing LDPlayer so that we can provide a promising emulator to our oversea users.
We hope that the rumor could be discussed rationally or just stop the rumor. We really need your support to develop the best gaming Android emulator so as to bring the smoothest gaming experience to you.
The comments are largely chastising the emulation company for their poor handling of the situation.
LDPlayer has not committed to removing the offending file. Stay tuned to further details on the situation.