What is a fake antivirus software?
Fake antivirus software impersonates legitimate security software to convince users that they have an actual virus on their computer or mobile device and need to download security software immediately. When computer users click on the link, malware is installed on their computer.
Scare tactics are a very effective way to disguise a threat, bypass security mechanisms, and trick users into downloading malware onto their own devices and computers.
In many cases, cybercriminals do so by using a fake message notifying users about a virus or infection on their device, prompting them to download and install fake antivirus software or computer cleaning software, which is actually malware. These messages appear either on an ad or as a pop-up message after the user clicks on a legitimate-looking ad.
The fake antivirus programs usually contain social engineering elements such as icons and logos designed to make the message or pop-up seem trustworthy and appear to come from their operating system (Windows, macOS, Android, iOS) or a trustworthy service provider of genuine security software. Because it looks like real antivirus software, users don’t suspect that there’s anything wrong or that the message poses a threat.
Fake antivirus software attack flow
There are two main types of fake antivirus software ads that hide viruses and other types of threat, such as fake antispyware.
- Ads that look like a computer message notification, pop-up window, play/download button, and aren’t related to an antivirus program
Once users click on these seemingly innocuous ads, they are redirected to a landing page on a fake website. On that landing page, they see a message that their device has been infected by a virus or requires cleaning. For example, while on the landing page or web site, they may get a pop-up with a message like: “We have conducted a scan and identified 3 viruses on your PC” or “Your computer is slow. Please clean system” or something similar.
In order to fix the problem, the landing page prompts them to click on suspicious links and download and install fake anti-virus software. The rogue antivirus program is actually malware that can wreak havoc on their computer security and end up costing them money.
- Ads that look like a warning message about a virus or problem in the user’s computer or device
Sometimes, often on mobile devices, the ad itself is a GIF designed to look like a system antivirus update that is actually disguising malicious software. When the user clicks on the antivirus update, malware is installed on the user’s computer without an interim step.
Every attack is unique, but in many cases, the malware or fake antivirus program installed has behavior monitoring capabilities like sniffing and keylogging or spyware. Such techniques are used for identity theft, collecting usernames, passwords, credit card numbers, and other private information and important files. The sensitive information can be sold for money on the internet, often in other countries.
One infected computer can also be used to infect other computers with the same virus or more malware. Once installed in one computer, the rogue security software sends out malicious code with fake antivirus software through the victim’s computer that spreads to other computers, creating an infected computer system.
Examples of fake antivirus software
Cybercriminals impersonate trusted systems and legitimate antivirus software including McAfee, Avast, and AVG to convince victims to install their malware on both computers and mobile devices.
Fake McAfee antivirus alert
McAfee is a leading provider of legitimate security software and antivirus software and programs, and a brand that people trust to protect them. Therefore, many criminals try to impersonate McAfee antivirus software in their on-screen instructions. In other situations, they claim to be free antivirus software offered by the company or as part of McAfee antivirus programs.
Fake Avast antivirus alert
Avast offers an antivirus suite, making it an attractive disguise for rogue antivirus criminals to use in their pop-ups. Like with other examples, the disguised messages actually hide fake antivirus software that contains the latest threats to the user’s computer, system, software, program, hard drive, backed-up files, or internet security.
Fake AVG antivirus alert
Another case where fake antivirus software is disguised as real antivirus software is using the trusted AVG brand. With cleverly designed ads, people can be led to believe that a fake antivirus message was actually sent by AVG to protect them. Like in the other examples, downloading the fake program can expose users to identity theft, fake schemes to pay money to bad actors, and other criminal programs on the internet or a specific web site.
What does fake antivirus software do?
Users who have installed a fake antivirus program are at risk of having their computers or devices infected by malware, experiencing a ransomware attack, having their device exploited for a cryptocurrency mining program, or having their privacy and security compromised by sniffers and keyloggers seeking out their usernames, passwords, credit card numbers, and other private information entered on their computer or on the web.
Unlike fake browser extensions, the fake antivirus threat is not limited to the internet. It can impact any of the programs installed on the device itself as well as activity on any website.
How to detect fake antivirus software?
The most effective way to detect fake antivirus software and cleaners is to identify the malicious ads that lead to them.
However, identifying malicious ads in real time is a complex process. Since the malware often sits on the landing page and not on the ad itself, data from the ad and the landing page needs to be cross-referenced before the ad is served. This is done by analyzing the creatives of the ad and text analysis (TA) of the landing page content as well as utilization of machine learning models trained to scan and identify images related to fake antivirus attacks that can analyze the visual content in the ad.
Another challenge in detection is differentiating fake ads from real antivirus campaigns that protect users from viruses. Since fake ads mimic real ones so effectively, in-depth analysis and cross-referencing are needed to differentiate between them.
How to get rid of fake antivirus attacks?
The best way to protect your users from fake antivirus schemes is to block the ads that lead to these ads and the accompanying fake landing pages.
Fake antivirus programs are so convincing it can be hard for anyone to detect when a landing page is fake. Therefore, the best way to keep users safe is to make sure that they don’t end up on the landing pages in the first place. Real-time blocking solutions like GeoEdge effectively identify ads that lead to fake antivirus software and block them before the ads appear on publishers’ pages, and users are exposed to them.
GeoEdge does all that and more. Learn how it works here.