Fake antivirus websites are now a major cybersecurity threat, spreading malware to both Windows and Android devices.
These malicious sites mimic legitimate antivirus solutions from well-known brands such as Avast, Bitdefender, and Malwarebytes, tricking users into downloading malicious software.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
Windows & Android Malware
Cybercriminals have been observed using fake websites that closely resemble legitimate antivirus providers to distribute malware. These sites include:
- avast-securedownload[.]com: This site delivers the SpyNote trojan disguised as an Android package file (“Avast.apk”). Once installed, this trojan requests intrusive permissions, such as reading SMS messages and call logs, installing and deleting apps, taking screenshots, tracking location, and even mining cryptocurrency.
- bitdefender-app[.]com: This site distributes a ZIP archive file (“setup-win-x86-x64.exe.zip”) that deploys the Lumma information stealer malware, targeting Windows users.
- malwarebytes[.]pro: This site delivers a RAR archive file (“MBSetup.rar”) that deploys the StealC information stealer malware.
Additionally, a rogue Trellix binary named “AMCoreDat.exe” has been uncovered, which serves as a conduit to drop stealer malware capable of harvesting victim information, including browser data, and exfiltrating it to a remote server.
The distribution methods for these fake antivirus websites are not entirely clear. However, similar campaigns in the past have employed techniques such as malvertising and search engine optimization (SEO) poisoning.
These methods help the malicious sites appear higher in search engine results, increasing the likelihood of unsuspecting users visiting them.
Stealer malware has become increasingly common, with cybercriminals advertising numerous custom variants with varying levels of complexity.
New stealers like Acrid, SamsStealer, ScarletStealer, and Waltuhium Grabber have emerged, alongside updates to existing ones such as SYS01stealer (also known as Album Stealer or S1deload Stealer).
This trend indicates a growing criminal market demand for stealer malware, which can harvest sensitive information from victims’ devices.
In a related development, researchers have discovered a new Android banking trojan called Antidot.
This trojan disguises itself as a Google Play update and abuses Android’s accessibility and MediaProjection APIs to facilitate information theft. Antidot is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, credentials theft, device control, and executing commands received from attackers.
How to Protect Yourself
To protect against these threats, users should follow several best practices:
- Verify the Source: Always download antivirus software from the official website of the provider. Avoid clicking on links from emails or advertisements.
- Be Wary of Pop-Ups: Legitimate antivirus software does not use aggressive pop-up tactics to scare users into downloading their software. If you encounter frequent pop-ups, it is likely a scam[3][4].
- Check for Suspicious URLs: Look closely at the URL of the website. Fake antivirus sites often have slight variations in their URLs compared to the legitimate sites they mimic.
- Use Comprehensive Security Solutions: Employ a robust security solution that includes antivirus, anti-malware, and anti-phishing features to detect and block malicious websites and downloads.
- Stay Informed: Keep up to date with the latest cybersecurity news and trends to be aware of new threats and how to avoid them.
The rise of fake antivirus websites distributing malware is a significant concern for both individual users and organizations.
By mimicking trusted brands, these malicious sites exploit users’ trust and spread harmful software that can steal sensitive information and compromise device security. Staying vigilant and following best practices can help mitigate the risk of falling victim to these scams.
The consequences of downloading malware from fake antivirus websites are severe and multifaceted, affecting data security, financial stability, system performance, and psychological well-being.
Users must remain vigilant, verify the authenticity of antivirus software, and follow best practices to protect themselves from these threats.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service