Threat actors are using fake websites disguised as legitimate antivirus solutions from well-known companies Avast, Bitdefender, and Malwarebytes to distribute malware capable of stealing sensitive information from both Android and Windows devices. The Trellix Advanced Research Center team has identified multiple fraudulent AV sites hosting sophisticated malicious files, including APK, EXE, and Inno Setup installers with spy and stealer capabilities.

One of the fake websites identified by Trellix is avast-securedownload[.]com masqueraded as an official Avast download page. It delivers an Android package file named ‘Avast.apk,’ which installs the SpyNote trojan. The malware can install or delete packages, read call logs, SMS, contacts, storage data, and more. It also has the ability to record audio, disable keyguards, and even engage in cryptocurrency mining activities.

Trellix has also discovered a fake site posing as a Bitdefender download site (bitdefender-app[.]com), which offers a ZIP archive named “setup-win-x86-x64.exe.zip.” Inside this archive is an executable file that installs the Lumma info-stealer. This malware harvests sensitive information such as PC name, username, hardware ID, screen resolution, CPU details, memory status, running processes, login data, and browsing history.

Another bogus website (malwarebytes[.]pro) appears to be a Malwarebytes download page and distributes a RAR archive file named ‘MBSetup.rar.’ The archive includes an Inno Setup installer, a readme file, and several legitimate-looking DLLs. It installs the StealC information-stealing malware, which is capable of stealing account tokens, saved card details, system profiles, and various other types of sensitive data from browsers and the system.

The researchers said they have also found some malicious Trellix binaries (AMCoreDat.exe) that install information-stealing malware.

At present, it remains unclear how these bogus websites are being distributed and promoted to potential victims.

Last week, Elastic Security Labs detailed a cryptojacking campaign, which is leveraging vulnerable drivers to disable security solutions on Windows systems.