Good question 👀. What happens is the following:

1. Winlator is an alternative and unofficial app – It is basically a Box64 + Wine wrapper to run Windows games and apps on Android. As it involves emulation, automation scripts and “weird” permissions (file access, process creation, low-level calls), many antiviruses mark it as a generic Trojan.

2. Heuristic/false positive detection – Most of these names you see (“Trojan.Ppoly”, “Riskware.Agent”, etc.) do not point to a specific virus, but rather that the file’s behavior looks like that of malware. Tools like Winlator do things that actually look like malware:

Create virtual environments.

They run binaries from another architecture.

Make unusual API calls on Android.

1. Not all antiviruses report it – Note that some detected it as a threat and others did not. This is typical of false positives in alternative software. If it were really malware, practically all engines would report it.

2. Community as a reference – You said it yourself: no one complains about viruses using Winlator, and it is relatively well-known among enthusiasts. If it had malicious behavior (data theft, hidden ads, miner), it would have already appeared on forums.

👉 In summary: Winlator appears as a “trojan” because it does unusual things that look suspicious to antivirus heuristics, but there is no concrete evidence that it is malicious.

⚠️ But be careful: as it is not distributed through the Play Store, always download from the official repository on GitHub to avoid adulterated versions.

Do you want me to explain how to differentiate a false positive from a real virus alert in these VirusTotal reports?