Beware: These Fake Antivirus Sites Spreading Android and Windows Malware

News

May 24, 2024NewsroomMalvertising / Endpoint Security

Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices.

“Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices from cyber attacks,” Trellix security researcher Gurumoorthi Ramanathan said.

The list of websites is below –

  • avast-securedownload[.]com, which is used to deliver the SpyNote trojan in the form of an Android package file (“Avast.apk”) that, once installed, requests for intrusive permissions to read SMS messages and call logs, install and delete apps, take screenshot, track location, and even mine cryptocurrency
  • bitdefender-app[.]com, which is used to deliver a ZIP archive file (“setup-win-x86-x64.exe.zip”) that deploys the Lumma information stealer malware
  • malwarebytes[.]pro, which is used to deliver a RAR archive file (“MBSetup.rar”) that deploys the StealC information stealer malware

The cybersecurity firm said it also uncovered a rogue Trellix binary named “AMCoreDat.exe” that serves as a conduit to drop a stealer malware capable of harvesting victim information, including browser data, and exfiltrating it to a remote server.

Cybersecurity

It’s currently not clear how these bogus websites are distributed, but similar campaigns in the past have employed techniques such as malvertising and search engine optimization (SEO) poisoning.

Stealer malware have increasingly become a common threat, with cybercriminals advertising numerous custom variants with varying levels of complexity. This includes new stealers like Acrid, SamsStealer, ScarletStealer, and Waltuhium Grabber, as well as updates to existing ones such as SYS01stealer (aka Album Stealer or S1deload Stealer).

Fake Antivirus Websites

“The fact that new stealers appear every now and then, combined with the fact that their functionality and sophistication varies greatly, indicates that there is a criminal market demand for stealers,” Kaspersky said in a recent report.

The development comes as researchers have discovered a new Android banking trojan called Antidot that disguises itself as a Google Play update to facilitate information theft by abusing Android’s accessibility and MediaProjection APIs.

“Functionality-wise Antidot is capable of keylogging, overlay attacks, SMS exfiltration, screen captures, credentials theft, device control, and execution of commands received from the attackers,” Broadcom-owned Symantec said in a bulletin.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Modernization of Authentication: Webinar on MFA, Passwords, and the Shift to Passwordless
Separating the bee from the panda: CeranaKeeper making a beeline for Thailand
How Confidence Between Teams Impacts Cyber Incident Outcomes
Meta Teams Up with Banks to Target Fraudsters
Why system resilience should mainly be the job of the OS, not just third-party applications

Leave a Reply

Your email address will not be published. Required fields are marked *