Fake antivirus websites spread malware on Android and Windows
Malicious actors are using fake websites that mimic legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to spread malware that steals sensitive information from Android and Windows devices.
“Hosting malware via websites that appear legitimate is harmful to general consumers, especially those trying to protect their devices from cyberattacks,” said Trellix security researcher Gurumoorthi Ramanathan.
The websites included are as follows:
avast-securedownload[.]com, used to distribute the SpyNote trojan in the form of an Android file (“Avast.apk”).
bitdefender-app[.]com, distributing a ZIP file (“setup-win-x86-x64.exe.zip”) containing the Lumma malware.
malwarebytes[.]pro, distributing a RAR file (“MBSetup.rar”) containing the StealC malware.
The cybersecurity company also revealed a malicious file named “AMCoreDat.exe” that installs malware to steal the victim’s data.
It is unclear how these fake websites are distributed, but similar campaigns in the past have used techniques such as malvertising and SEO poisoning. Stealer-type malware is becoming increasingly common, with new variants such as Acrid, SamsStealer, ScarletStealer, and Waltuhium Grabber, as well as upgrades to existing ones like SYS01stealer.
Finally, researchers discovered a new banking trojan for Android named Antidot, which pretends to be a Google Play update to steal information by exploiting Android’s accessibility and MediaProjection APIs. Users should remain vigilant and cautious online at all times.
