A YouTube page that supposedly allows visitors to download a Nintendo Switch emulator program actually installs a downloader that introduces a potentially unwanted application called OneSystemCare.
A YouTube page that supposedly allows visitors to download a Nintendo Switch emulator program actually installs a downloader that introduces a potentially unwanted application called OneSystemCare.

Online scammers are promoting phony emulators for Nintendo's brand new Switch gaming console, but in reality are delivering annoying surveys and potentially unwanted applications to would-be players.

A Thursday blog post from Symantec reports that a recent YouTube search for "Nintendo Switch Emulator" turned up a variety of fraudulent hits – one with over 76,000 views – despite the fact that no such emulator exists. 

Some of these sites offer instructions for downloading a file from a website to play Nintendo's The Legend of Zelda: Breath of the Wild on a PC. Others simply feature people generically discussing "free tools," but never specifically reference an emulator – likely so that the videos can be repurposed for other trending search terms, the blog post explains.

The most malicious of these fraudulent sites deliver unwanted content or software. For instance, Symantec found a YouTube video that promised an emulator download but instead installed the malicious downloaders OSX.Malcol for Macs and PUA.Downloader for Windows. These downloaders then introduce a potentially unwanted application called OneSystemCare that conveys misleading computer performance datato users and asks them to pay up in order to fix the issues.

In other cases, the phone emulator sites include links to surveys that users supposedly must fill out in order to receive an unlock code that downloads the nonexistent emulator. One even promotes a fake contest that offers the Switch as a prize.

"The survey goes through several pages to gather information about the visitor's habits and interests in potential products before reaching a page asking them to complete one or more offers," said Satnam Narang, senior security response manager, Norton by Symantec, in an email interview with SC Media. "These offers are of a premium nature. This means the user has to sign up for a trial for a service or receive a product in order to complete the survey, but they will be asked to provide a credit card. If the user does not cancel before the trial period ends, their credit card will be charged."

Narang told SC Media that the surveys also collect personally identifiable information such as names, addresses, phone numbers and email addresses. How this PII is used and potentially shared is unknown, however.

In its post, Symantec states that the fraudulent websites are driven by unscrupulous affiliate programs. "For each successful conversion (a completed survey, offer, or download), the affiliate collects a commission from the advertising network. In this case, it is unclear how much each affiliate is making for each conversion," the blog post noted.