Fake anti-virus disguises used by Android malware

Android fake anti-virus downloadThe Android malware threat is growing.

As financially-motivated cybercriminals realise there’s a real opportunity to make money, so we are seeing more attacks created and distributed which target Android devices.

And it’s no surprise to see similar social engineering tricks that have worked on other operating systems in the past also being used on the Android platform.

Like fake anti-virus, for instance.

Sign up to our free newsletter.
Security news, advice, and tips.

As our friends at GFI described earlier this week, criminals spammed out links via Twitter pointing to webpages that contained a rogue app posing as a legitimate virus scanner.

Malicious tweet

SophosLabs researcher Vanja Svajcer investigated the case, and discovered the .ru domains pointed to the same IP address hosted in Ukraine.

When visited, the webpages determine whether it would be more appropriate to serve up a Java ME .jar file (for phones which are “not-so-smart”) or an Android .apk.

Depending on the URL you click on and URL parameters, you might be prompted (in Russian) to install fake updates for a variety of products including the Opera browser and Skype.

Fake updates for Android apps

Or you might be presented with a page which prompts you to run a security scan on your phone. Of course, the anti-virus “scan” it initiates is completely fake, and is designed to frighten you into installing an app onto your phone.

Fake anti-virus scan on Android

The look of the fake anti-virus scans can vary. Here’s another version, which has adopted a more traditional “Android green” theme:

Fake anti-virus scan on Android

All of this subterfuge is being undertaken, of course, for just one purpose: to trick you into downloading and installing an app onto your Android phone.

In this case, the program pretending to be an anti-virus app has even stolen an icon to trick the unwary into believing it may have been coded by Kaspersky.

Android fake anti-virus app downloaded and installed

If you went ahead and installed the app onto your mobile, it would attempt to send expensive SMS messages to premium rate services, and has the ability to download and install further code from the internet onto your Android smartphone.

Sophos products detect these latest threats as members of the Andr/Boxer family of malware.

Thanks to SophosLabs researcher Vanja Svajcer for his assistance with this article.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.