Fake Antivirus Sites Spreading Android and Windows Malware

Threat actors are using counterfeit websites posing as authentic antivirus solutions from Avast, Bitdefender, and Malwarebytes to distribute malware that can steal sensitive information from Android and Windows devices.

Here is a list of the deceptive websites:

1. avast-securedownload[.]com, distributing the SpyNote trojan disguised as an Android package file (“Avast.apk”) that, once installed, requests intrusive permissions to read SMS messages, call logs, install and delete apps, take screenshots, track location, and even mine cryptocurrency.
2. bitdefender-app[.]com, distributing a ZIP archive file (“setup-win-x86-x64.exe.zip”) that installs the Lumma information stealer malware.
3. malwarebytes[.]pro, distributing a RAR archive file (“MBSetup.rar”) that installs the StealC information stealer malware.

Additionally, a rogue Trellix binary named “AMCoreDat.exe” was found, acting as a conduit to drop a stealer malware capable of harvesting browser data and sending it to a remote server.

The method of distributing these bogus websites is not yet clear, but similar campaigns in the past have utilized malvertising and search engine optimization (SEO) poisoning.

Stealer malware has become increasingly prevalent, with cybercriminals advertising numerous custom variants with varying complexities. This includes new stealers like Acrid, SamsStealer, ScarletStealer, and Waltuhium Grabber, as well as updates to existing ones such as SYS01stealer.

The fact that new stealers appear every now and then, combined with the fact that their functionality and sophistication varies greatly, indicates that there is a criminal market demand for stealers.

In a separate development, a Gipy malware campaign was detailed by a Russian cybersecurity firm, capitalizing on the popularity of artificial intelligence (AI) tools by advertising a fake AI voice generator via phishing websites.

Gipy, once installed, loads third-party malware hosted on GitHub, including information stealers (Lumma, RedLine, RisePro, and LOLI Stealer), cryptocurrency miners (Apocalypse ClipBanker), remote access trojans (DCRat and RADXRat), and backdoors (TrueClient).

These findings coincide with the discovery of a new Android banking trojan called Antidot, which disguises itself as a Google Play update to steal information by abusing Android’s accessibility and MediaProjection APIs.

To protect against fake antivirus sites spreading malware, it’s important to only download antivirus software from official sources. Regularly update your operating system and software to patch known vulnerabilities. Be cautious of unsolicited emails and messages, and avoid clicking on suspicious links or attachments. Use reputable antivirus software and enable real-time scanning for added protection.