counterfeit Archives

Tech Optimizer

August 7, 2025

Hackers are abusing this Intel tool to disable Windows 11’s built-in antivirus — don’t fall for this

The Akira ransomware has been using a legitimate Intel CPU tuning driver to disable Microsoft Defender, allowing hackers to gain kernel-level access to systems. This method, known as BYOVD (Bring Your Own Vulnerable Driver), involves exploiting signed drivers with known vulnerabilities for privilege escalation. Researchers found that the execution of the driver modifies Microsoft Defender's DisableAntiSpyware settings in the Windows Registry using regedit.exe. Guidepoint Security has responded by providing a YARA rule and indicators of compromise to help organizations defend against these attacks, emphasizing the need for vigilance and caution when downloading software.

AppWizard

August 6, 2025

Fake Antivirus App Delivers LunaSpy Malware to Android Devices

A cybercrime campaign is targeting Android users with counterfeit antivirus applications that install LunaSpy spyware on devices. This campaign has been active since at least February 2025 and spreads through messaging apps and fake Telegram channels. Cybercriminals use social engineering tactics to trick users into installing the malware by presenting it as legitimate security software. Once installed, the app performs fake scans and generates alarming reports to manipulate users into granting extensive permissions, allowing access to personal data, including passwords and financial details. LunaSpy can steal passwords, record audio and video, access text messages, track locations, and capture screen activity. It communicates with attackers through around 150 domains and IP addresses. Users are advised to avoid unofficial software sources and be cautious with download requests.

AppWizard

August 5, 2025

New Android Malware Poses as SBI Card and Axis Bank Apps to Steal Financial Data

McAfee’s Mobile Research Team has identified a malware campaign targeting Android users in India, specifically Hindi speakers. The malware disguises itself as legitimate financial applications from banks like SBI Card, Axis Bank, and IndusInd Bank. It is distributed through phishing websites that mimic official banking portals and uses authentic assets to appear credible. The malware has dual functionality: it exfiltrates personal and financial data and mines Monero cryptocurrency using the XMRig tool, activated remotely via Firebase Cloud Messaging (FCM). It masquerades as a Google Play update, prompting users to install it, which leads to data theft. Upon installation, the malware presents a fake Google Play interface and requests sensitive information, which is sent to a command-and-control server. After data submission, users see a misleading confirmation page. The malware employs a multi-stage dropper to evade detection, with remote activation capabilities that keep it dormant until triggered. Phishing sites promote the malicious APK through SMS, WhatsApp, or social media. McAfee has reported these threats to Google, resulting in the blocking of the associated FCM account. All variants are classified as high-risk, with infections primarily in India but some in other regions. Users are advised to download apps only from Google Play and to be cautious with unsolicited links. Indicators of Compromise (IOCs) include specific APKs for various credit cards and phishing site URLs related to the campaign.

Tech Optimizer

August 2, 2025

Best Antivirus for Windows 10 (2025): Avast Awarded Top PC Security Solution by Software Experts

Avast has been recognized by Software Experts as a leading antivirus solution for Windows 10 in 2025, specifically highlighting Avast Premium Security and Avast Ultimate for their robust security frameworks, advanced privacy features, and user-friendly interfaces. Avast Premium Security offers real-time protection against viruses, malware, and ransomware, a ransomware shield, webcam protection, scam detection, anti-phishing protection, an advanced firewall, and email scanning. Avast Ultimate includes additional tools such as Avast SecureLine VPN for internet traffic encryption, Avast Cleanup Premium for system optimization, and Avast AntiTrack for digital privacy. Avast is a global cybersecurity firm that provides comprehensive protection across various platforms and has been acknowledged by independent testing labs.

Tech Optimizer

July 30, 2025

JSCEAL Malware Targets Crypto Users via Fake Facebook Ads

A new malware strain called JSCEAL has emerged, targeting cryptocurrency users by exploiting online advertising. Active since early 2025, it masquerades as legitimate trading applications and uses deceptive ads on platforms like Facebook to lure victims. The malware impersonates well-known exchanges such as Coinbase, Binance, and OKX, tricking users into downloading counterfeit apps that harvest sensitive information like credentials and wallet data. Over 35,000 malicious ads were tracked in 2025, affecting thousands of users. JSCEAL employs malvertising tactics, redirects users to counterfeit websites, and uses JavaScript-based payloads to exploit browser vulnerabilities. Its polymorphic code allows it to evade detection, and it can take remote control of devices using Android Accessibility permissions. Cryptocurrency exchanges are responding by enhancing security measures and advising users to verify app sources, implement multi-factor authentication, and use ad blockers. Users are encouraged to enable browser extensions that flag suspicious sites and to download applications only from official stores.

AppWizard

July 25, 2025

Fake Indian Banking Apps on Android Steal Login Credentials from Users

A recently discovered malicious Android application poses significant risks by masquerading as legitimate banking apps in India. It facilitates credential theft, conducts surveillance, and executes unauthorized financial transactions. The malware operates on a modular architecture with a dropper and primary payload, employing deceptive user interfaces and silent installation techniques to evade detection. The dropper requests extensive permissions, including ACCESSNETWORKSTATE, REQUESTINSTALLPACKAGES, and QUERYALLPACKAGES, to monitor connectivity, install secondary APKs without user awareness, and profile installed apps. It loads a hidden payload and initiates installation using an INSTALL_NOW flag, bypassing app store scrutiny. The main payload requests additional permissions such as READSMS, SENDSMS, and RECEIVESMS for intercepting one-time passwords (OTPs) and two-factor authentication (2FA) codes. It also requests REQUESTIGNOREBATTERYOPTIMIZATIONS, READPHONESTATE, and READPHONENUMBERS for uninterrupted execution, device fingerprinting, and potential call forwarding abuse. Data exfiltration occurs through Firebase Realtime Database, storing user IDs and intercepted SMS metadata. The malware uses Firebase for command-and-control operations and generates phishing pages resembling authentic banking interfaces. Delivery methods include smishing, email phishing, WhatsApp bots, vishing calls, SEO-poisoned websites, malvertising, Trojanized utilities, QR/NFC attacks, preloaded malware on counterfeit devices, and exploitation of accessibility service vulnerabilities. Indicators of compromise include specific SHA256 hashes for the base payload and main payload.

AppWizard

July 25, 2025

Malicious Android Apps Mimic as Popular Indian Banking Apps Steal Login Credentials

Attackers are exploiting India's reliance on digital financial services by distributing counterfeit Android applications resembling those of public and private banks. This campaign, detected on April 3, 2025, employs methods like smishing texts, QR codes, and search-engine manipulation to trick users into sideloading malicious software. Within 48 hours of discovery, over 7,000 devices attempted to connect to a specific Firebase Cloud Messaging endpoint. The malware uses permissions to bypass security measures, capture one-time passwords, and gain insights into installed applications for overlay attacks. It collects sensitive information such as phone numbers and CVVs, which are uploaded to a private database. The malware also enables call forwarding to the attacker's number and maintains persistence through various tactics. The infection mechanism involves a dropper that installs a secondary APK silently, evading detection by not displaying a launcher icon. Security experts recommend enhanced phishing detection and real-time sandbox analysis to combat these threats.

AppWizard

July 23, 2025

Threat Actors Blend Click Fraud Apps and Malware to Steal Android Credentials

Security researchers at Trustwave SpiderLabs have identified a complex cluster of Android malware that combines click fraud, credential theft, and brand impersonation. This malware exploits the Android Package Kit (APK) file format to distribute malicious applications, often through phishing messages or deceptive websites. Users are tricked into installing these APKs, which are disguised as reputable brands or promotional apps. Once installed, the malware takes advantage of Android's permission model to access sensitive resources, primarily for click fraud and traffic redirection to generate illicit revenue. Some variants engage in data collection and credential harvesting, employing advanced evasion tactics to avoid detection, such as using counterfeit Chrome applications and overlay screens. A notable variant includes a spoofed Facebook app that mimics the official interface and connects to a remote command-and-control server for instructions. The malware uses encryption and encoding to secure data exchanges and employs open-source tools to bypass Android's signature verification. Evidence suggests that the operators may be Chinese-speaking, as indicated by the use of Simplified Chinese in the code and the promotion of related APK campaigns on Chinese-speaking underground forums.

AppWizard

July 7, 2025

Malware Surge Hits Android: Adware, Trojans and Crypto Theft Lead Q2 Threats

A concerning trend in mobile security shows that malicious applications and spyware are increasingly targeting Android users. Adware, particularly the Android.HiddenAds family, remains the most prevalent threat, despite a decrease in detections. The Android.MobiDash adware trojans have increased by over 11%. The Android.FakeApp malware, which disguises itself as legitimate applications, has seen a 25% decline in activity, primarily targeting Turkish and French-speaking users. The Android.Banker variant has surged by over 70%, indicating a rise in banking trojans. A large-scale crypto theft operation involved the Android.Clipper.31 trojan embedded in a modified WhatsApp version and low-cost Android firmware, which replaces cryptocurrency wallet addresses. Spyware named Android.Spy.1292.origin targets Russian military personnel through a counterfeit mapping application. Malicious applications continue to be found on Google Play, including adware disguised as cryptocurrency news apps and fake finance applications. The open nature of Android poses ongoing cybersecurity risks, even within official app stores.

AppWizard

July 3, 2025

Fake Apps, AI Scams Drive 151% Android Malware Spike, Smishing Grows 692%, Spyware Quadruples

Android malware has surged by 151% since the beginning of the year, with a notable 147% increase in spyware in 2025. Spyware activity peaked in February and March, reaching nearly four times the baseline. Smishing attacks via SMS increased by 692% between April and May. Banking trojans and spyware are increasingly hidden in seemingly legitimate applications, such as fake loan services. Over 30% of Android devices run outdated software lacking security patches, exposing users to vulnerabilities. Cybercriminals are developing interconnected operations that target sensitive user data. Google Play Protect is not fully effective, and users are advised to download apps only from official sources, review app permissions, deny unnecessary notification access, keep software updated, and use trusted mobile security apps.