Cybercriminals Use Fake Antivirus Sites to Target Android and Windows

Cybercriminals are employing fake websites mimicking those of Avast, Bitdefender, and Malwarebytes to distribute information stealers for Android and Windows. Specialists at Trellix detailed this new campaign in their report.

Trellix identified a list of fraudulent websites:

  1. avast-securedownload[.]com – Distributes the SpyNote trojan as an Android package (Avast.apk). Upon installation, the app requests intrusive permissions to read SMS messages and call logs, install and uninstall applications, take screenshots, track location, and even mine cryptocurrency.
  2. bitdefender-app[.]com – Distributes a ZIP archive (setup-win-x86-x64.exe.zip) containing Lumma Stealer, designed for information theft.
  3. malwarebytes[.]pro – Distributes a RAR archive (MBSetup.rar) that installs the StealC malware for data theft.

Additionally, Trellix discovered a fake executable file, AMCoreDat.exe, which serves as a conduit for malware capable of collecting victim information, including browser data, and transmitting it to a remote server.

It remains unclear how the fake websites are being disseminated, but such campaigns typically employ methods like malicious advertising (malvertising) and SEO poisoning to increase the visibility of fake sites in search results.