Fake Kaspersky Antivirus app found on Google Play, Windows Phone Store

While Google Play Store is able to prevent malicious applications from being uploaded to the market,  Google still fails to prevent cyber criminals from uploading fake apps.

Last Month, Android Police discovered a fake Antivirus app on Google Play going by the name of 'Virus Shield' which fooled thousands of users into buying this app.

The story of fake Antivirus apps doesn't stop there.  Today, Experts at Kaspersky have discovered one more fake Antivirus app going by the name of 'Kaspersky Anti-virus 2014' on Google Play.

The fake version of Kaspersky was being sold for $4 that does nothing other than displaying the Kaspersky Logo.

Researchers also discovered that few fake apps were being sold at Windows Phone Store.  Some of them are 'Mozilla Mobile', 'Kaspersky Mobile', 'Avira Antivir' and the 'Virus Shield' apps.

The fake version of Kaspersky antivirus app for Windows phone pretends to be scanning your device but does nothing.

Few weeks back, when i was searching for TrueCaller app for my Windows phone, i also came across a fake paid Version of TrueCaller and other apps.  After i reported to Microsoft, they removed those apps from the store.

Just now, I also found a fake version of COMODO Antivirus for the windows phone which is being sold for $1.49.  This fake app was uploaded by cheedella suresh( The name appears to be South Indian name).

As you can see, the developer has also uploaded few other fake apps in Windows phone store.  These apps have been uploaded in the recent months(April- May).

Malvertising on Aftonbladet news site targets IE users with Fake Antivirus

A largest Sweden Newspaper website Aftonbladet is found to be serving malicious ads that redirect users to a malicious website serving Fake Antivirus.

Security researcher at Kaspersky said the website was spreading malware not because they got hacked, but because cybercriminals compromised a third-party ads running on the site.

The malicious script used in the malvertising attack checks whether the user is using Internet Explorer browser or not.  Only IE users are being redirected to malware website.

The malware page is not exploiting any vulnerabilities but displays a fake virus alert message from Microsoft Security essential that it has detected potential threats in the user's computer and recommends to clean the malware.

Once user click on the picture, it will not clean any viruses, it will download a malicious obfuscated Visual Basic Executable file. 

"Large websites often include content from other websites, and if the bad guys compromise any of those websites they can also manipulate the content which is getting included by the large website." researcher said.

Antivirus that will alert about Criminal and Illegal content for $500

Isn't the title interesting?! There is no such Antivirus that will alert about criminal and illegal content.  It is being advertised in recently discovered ransomware.

Ransomware usually lock the victim's system or browser and displays a warning message pretending be from FBI or any other authority.  It will inform victims that their system is locked because of their illegal activities and asks them to pay money to unlock  it.

A new ransomware spotted by Malwarebytes team interestingly informs the victims that "Your criminal records have been deleted". 

The malware also suggest the victims to buy an Antivirus for $500 from them in order to unlock the system and avoid other legal consequences.

Those who fall for this scam end up in paying around $1200 dollars.  As i said earlier,  there is no such kind of antivirus exist.  After paying ransom, you will just receive a message "your browser will be unlocked within 12 hours" nothing else.

New Fake AV 'Antivirus System' can't be removed from Safe Mode with networking

These days when malicious softwares, virus and trojans are are so rampant no wonder fake antivirus are also common. A perfect example is “Antivirus System,” a Fake AV analyzed by experts from Webroot.

The antivirus system scans the files of the user and then reports some threats which must be cleared as soon as possible. To remove them the app must be registered which requires certain amount of money.

In addition, the Fake AV also sports some features that are common for legitimate security solutions.(Reports news.softpedia)

In many cases such threats are easy to remove by booting uo the computer in safe mode and scanning the device with authentic antivirus product.

Well the Antivirus System is not that easy to remove since the malware injects itself into the explorer shell, which is loaded in safe mode as well. This hinders the user from starting any executable.

Nevertheless, this does not mean that you just have to waste your money and activate the product since there is always a way out.

At first an antivirus solution should diminish the malware before it affects the system and if it has infected your system these are the steps you should follow:-
*Start your computer in safe mode with command prompt.(this dosen't launch explorer shell, so the fake AV will be inactive.)

*Then, create a new administrator account by typing “control nusrmgr.cpl.”

*Once the account is created, reboot the computer and log in to the new account.

Now this new account is unaffected by the virus and you are free to remove the malicious software off your computer. But beware the next time.

70% Antivirus Solutions still fails to detect Fake AV

Fake Antivirus (scareware) also referred as Rogue Security software, is one of the most frequently encountered malware threats which pretends to be legitimate security software.

Fake AV attempts to scare victims into believing their system is infected with malwares that do not really exist. It will continue to display annoying fake virus warnings and asks victims to pay money to clean up the non-existent malwares.

The recent research from Zscalar researchers shows that more than 70% legitimate Antivirus application(12/43) fails to detect the fake AV. Three years back, the detection ratio of Fake Av is 6/41.

Fortunately, Google Safe browsing and Internet Explorer (Smart Screen Filters) blocked the malicious page which serves the Fake Av.

According to the researchers, the malware disable the Firewall and existing AV solutions, disables AV updates, disables security warnings and sets itself as the default AV solution.

The malware further downloads and runs the file called 'data.exe' from a malicious domain which is blocked by Google Safe browsing, but the exe is detected by only 9/46 AV.