Antivirus Fraudware Goes Mobile?

We came across some interesting mobile phone software yesterday. It’s designed for the J2ME platform for mobiles and it’s a midlet with a Kaspersky Anti-Virus icon. The application mimics the behavior of our antivirus software; it deliberately simulates the detection of a virus and then shows an error message.

At first, we thought it was a new fraudware program designed to steal money from mobile users’ accounts, but after checking its behavior, we came to the conclusion that it’s just a demonstration – looks like somebody was having a bit of fun. The program doesn’t modify the system or try to steal any money.

Although the program isn’t malicious in itself, we detect it as FraudTool – even though the program’s safe to run, we think that users should be notified about it. Because it’s not malicious, we’ve added the prefix not-a-virus. If we see another modification of this application which attempts to trick the user in some way and steal money from his/ her account, we’ll remove the prefix and the program will be detected as true malware.

Here’s a video clip showing how the program works (in Russian only – but even if you don’t speak Russian, you might still find it interesting!):

Detected for this program was added on 7th August. We decided to call it not-a-virus:FraudTool.J2ME.KaspAV.a, because it mimics the behavior of our antivirus product for mobiles.

Antivirus Fraudware Goes Mobile?

Your email address will not be published.



APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Lazarus Trojanized DeFi app for delivering malware

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Subscribe to our weekly e-mails

The hottest research right in your inbox