Malware in GDevelop 5.0.0 beta100?

Hello game developers!

I downloaded the latest version 5.0.0 beta100 from github for 64-bit Windows, it didn’t work on my Windows7 (a window just appears and nothing more) so I uninstalled it, and several hours later a strange notification appears, it asked me to make a backup of PRIVATE KEY/CERTIFICATE because some service started to encrypt my file system using standard EFS functions! I launched cipher.exe to check the file system and some newly created files actually became encrypted. So I just removed all the certificates/keys from the system using certmgr.msc and the problem was resolved (?). I strongly suspect that your release contains malware. Please check it asap. The other possibility is godot engine, because I also installed it today. So I will ask people on godot forums also.

I’ve had beta 100 installed for a month now, and even reinstalled it as recently as last week, with no issue.

Additionally, Github tracks all code commits that occur to the engine. (Commits · 4ian/GDevelop · GitHub) Looking at the commits, no unknown persons have committed code, and all of the code I can see from the normal contributors would not impact this.

Unfortunately, it’s very unlikely that this is from GDevelop. Godot is the same way, and is also very unlikely to be the cause, but definitely inquire there.

1 Like

Ok. Thank you for the reply. I remember several cases with package managers that automatically attached infected third-party components (like from node.js etc.).
I’m talking about this scenario: New EFS Ransomware Attack Uses Windows Encrypting File System Against Itself
But if there’s no reports from users during the whole month, then I’m starting to think that this is godot, godot was installed after gdevelop, and I also installed 3d voxel example project from the godot repository.

That’s not how malware works. You don’t stop it by removing system certificates. If anything, the malware would make you remove the certificates. No antivirus software or system would be like “oh no, you have malware, you need to do this operation to stop it !!1!”, It would just do said operation.

This is a private certificate that was generated by some unknown program. I never used EFS. Actually, I even turned off this function in registry. Nowadays, malware is much more buggy and simple than 20 years ago, written in higher languages, and this notification from Windows will be ignored by most users. Antiviruses probably will not detect such new trojans, I agree with you.

I’m sure this cannot be GDevelop anyways as adding new certificates requires administratior perms and GDevelop never requires them. Not even for the installation, as it installs in app data.

1 Like