Research

Fake antivirus – attack of the clones

Experts recently discovered a scam antivirus app on Google Play going by the name of Virus Shield. A distinct feature of this particular app was the fact that users had to pay for it – most fake AV can initially be downloaded for free. This meant its creators immediately started making money and didn’t have to demand payments from users to remove “malware” that had supposedly been detected on their computers. To avoid negative reviews on Google Play all that was required was to make it look like the app was doing something useful.

Virus Shield was followed by a series of other similar fake apps. Early last week, for instance, we detected two rather interesting fake antivirus programs.

The first fake app was discovered on Windows Phone Store, which in itself was unusual – scammers tend to use Google Play. This app, which also had to be paid for up front, went by the name of Kaspersky Mobile. The fact that there is no program with that name in Kaspersky Lab’s product line didn’t deter the fraudsters – they obviously didn’t expect anyone to notice.

blog_unuchek_fakeav_01_en

This fake app pretends to carry out some useful activity such as “scanning” files. But look closely at the screenshot and you will see that as well as showing “scan progress” it is supposedly performing a “heuristic analysis”. As a rule, antivirus solutions don’t display a separate progress bar for a heuristic analysis.

blog_unuchek_fakeav_02_en

However, the scammers seem to show a bit more knowledge about software developers and their name-dropping wasn’t limited to Kaspersky Lab. The fake AV creators uploaded numerous other types of paid apps to Windows Phone Store that used the names and logos of several popular programs.

blog_unuchek_fakeav_03_en

They include Google Chrome for 99 rubles (approx. $2.80), and Google Chrome Pro, which for some reason cost just 59 rubles. There are some “antivirus” applications from unknown developers, but upon closer inspection the only difference between them and Kaspersky Mobile turned out to be the logo and the colors used in the interface.

But most interesting of all was Virus Shield at 69 rubles (approx. $2) – the same fake AV we mentioned above – which was discovered on Google Play.

blog_unuchek_fakeav_04_en

This is a good example of how one successful scam spawns numerous clones. Instead of just one fake AV, the scammers offer dozens of fake apps, copying the design, but not the functionality of the original.

The second fake app of note that we discovered was for sale on Google Play and was called Kaspersky Anti-Virus 2014. Just to clarify, there is no Kaspersky Lab mobile product by that name. The screenshot used on the page of the fake app was simply copied from the official Kaspersky Internet Security for Android page.

blog_unuchek_fakeav_05_en

The fake app does absolutely nothing to protect the user’s device – the creators didn’t even bother to add a simulation of a scanner. Instead of a security solution the buyer gets nothing more than a fake app whose functionality is limited to random statements along the lines of a Magic 8-Ball set against a background of the Kaspersky Anti-Virus logo. Kaspersky Lab products detect the app as Trojan-FakeAV.AndroidOS.Wkas.a.

blog_unuchek_fakeav_06_en

It is quite possible that more and more of these fake apps will start appearing. One thing is for sure – the mechanisms put in place by the official stores are clearly unable to combat scams like this.

P.S. Either there weren’t too many takers for the fake Kaspersky Internet Security for Android, or greed got the better of the creators – in any case, they decided to up the ante. Apart from an “antivirus” app for 142 rubles, we discovered another app on the scammers’ Google Play page that was on sale for 3556 rubles (approx. $100).

blog_unuchek_fakeav_07_en

The screenshots for this expensive program bearing the name ‘i am rich’ were reminiscent of those used in an app for iOS with the same name whose functionality consisted entirely of displaying an image of a ruby and a caption saying “I am rich”. We decided not to pay the $100 asking price for the app, but we’re sure that its functionality is not much different from its earlier namesake or any of the other fake apps from the scammers in question.

Fake antivirus – attack of the clones

Your email address will not be published. Required fields are marked *

 

  1. Ereneo B Nyambo

    Thank you for this details concerning fake AVs. I hope many of the users like me will be free from those frauders. In ma mobile i tried some of AV app’s they lying, eg. they can say they found 900MBs to be cleaned but after cleaning nothing became cleaned. So i wonder what is! Am happy to read this post , thank u so much Roman.

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox