Fake antivirus websites deliver malware to Android and Windows devices

May 24, 2024NewsroomMalicious advertising/endpoint security

Threat actors have been observed using fake websites impersonating legitimate antivirus solutions from Avast, Bitdefender and Malwarebytes to spread malware capable of stealing sensitive information from Android and Windows devices.

“Hosting malware through sites that appear legitimate is predatory for consumers in general, especially those who want to protect their devices from cyberattacks,” said Gurumoorthi Ramanathan, a Trellix security researcher.

The list of websites is below –

• avast-securedownload(.)com which is used to deliver the SpyNote trojan as an Android package file (“Avast.apk”) which, once installed, requests invasive permissions to read SMS messages and call logs, install and remove applications, take dumps screen, track location and even mine cryptocurrency

• bitdefender-app(.)com, which is used to deliver a ZIP archive file (“setup-win-x86-x64.exe.zip”) that deploys Lumma information-stealing malware

• malwarebytes(.)pro, which is used to deliver a RAR archive file (“MBSetup.rar”) that deploys the StealC information-stealing malware

The cybersecurity firm said it also discovered a fake Trellix binary called “AMCoreDat.exe” that serves as a conduit for dropping malware that is able to capture victims’ information, including browser data, and exfiltrate it onto remote server.

It is currently unclear how these fake sites are distributed, but similar campaigns in the past have used techniques such as malicious advertising and search engine optimization (SEO) poisoning.

Malware is becoming an increasingly common threat, with cybercriminals advertising numerous custom variants of varying degrees of complexity. This includes new stealers such as Acrid, SamsStealer, ScarletStealer and Waltuhium Grabber, as well as updates to existing ones such as SYS01stealer (also known as Album Stealer or S1deload Stealer).

“The fact that new thieves appear from time to time, combined with the fact that their functionality and sophistication vary significantly, indicates that there is a demand for thieves in the criminal market,” Kaspersky said in a recent report.

The development comes after researchers discovered a new Android banking trojan called Antidot that spoofs a Google Play update to facilitate information theft by abusing Android’s accessibility and MediaProjection APIs.

“Functionally, Antidot can perform keystroke logging, overlay attacks, SMS exfiltration, screen capture, credential theft, device control and execution of commands received from attackers,” Symantec, which owns Broadcom, said in the bulletin.