There are lots of legitimate free antivirus programs and apps available for download and the criminals have used this to their advantage. By tricking you into downloading a fake antivirus program the criminals get to compromise your computer (or mobile in the case of an app) while you believe you are protected. They may even go as far as asking you to pay for upgrades for premium features (which also don’t really exist). Some even behave like real antivirus programs and get updates and run scans. Really sophisticated ones even perform antivirus functions, protecting you from other viruses. Though in truth they are only protecting their own viruses, in much the same way that a gang running a protection racket will fight off other gangs trying to muscle in.
Many fake antivirus systems use names that are similar to the genuine ones, so for example Microsoft Security Essentials (which is genuine) becomes Microsoft Essential Security Pro. Only a few years ago, there were listings with over 349 known fake / rogue antivirus or anti-spyware products, but while the scale of the problem has reduced significantly, it hasn’t gone away, the criminals have just changed tactics. One of these tactics is to use fake free antivirus smartphone apps to spread banking trojans. In March 2022, security researchers uncovered six antivirus apps in the official Google Play store spreading the SharkBot trojan. The apps were called: 'Antivirus, Super Cleaner', 'Atom Clean-Booster, Antivirus’, 'Alpha Antivirus, Cleaner', 'Powerful Cleaner, Antivirus' and 'Center Security – Antivirus.' All the apps have since been pulled from the Google Play store, but expect to read similar stories in future.
If it transpires that you do have fake antivirus installed, stop all internet shopping and banking immediately. Contact your bank and get them to issue you a new card. Locate another computer that you know to be trustworthy and change any passwords for email accounts etc that you may have used since you installed the fake antivirus software. Then you are probably better taking your machine to be fixed at a computer shop. In the case of a smartphone app, please uninstall it immediately, and install mobile antivirus from a major antivirus company to check you mobile for any other suspicious apps.
If you choose to use free antivirus, try to install them from the major antivirus companies’ websites, or even www.av-test.org rather than from file sharing sites or from an advert. Don’t assume the first entry in a search engine for free antivirus is genuine (yes, criminals pay to be on the first page of search engines). If you use Microsoft Windows 10 or 11, the built in Microsoft Defender Antivirus and Windows Security components is a safer free option if you are not sure which solution to use.
Another common scenario is the fake antivirus alert, typically as an email or via your browser notification feature or a website popup window. It tends to either warn you that your subscription has expired and that your computer is no longer protected, or it may say ‘malware found’, or ‘5 infections detected’ or something similar, with a call-to-action button or two. Those buttons may all do the same thing, so best not to click on either.
When the fake notification matches the branding and logo of the antivirus solution that is installed on your computer, the email or alert can be quite convincing, as people assume it is their own antivirus program. If you are unsure, always manually open your antivirus software, as any real alerts would also be displayed quite prominently. Also, any unexpected antivirus discount offers or promotions need to be treated with caution. Be careful when filling out online questionnaires asking about what antivirus software you use or when the subscription expires. The information can be used at a later date to send fake renewals with the correct dates and details, that you may have forgotten you or someone else in your household may have shared.
There is also another type of fake antivirus alert based on the supposed ‘helpful’ service provider, major brand or trusted source. These are the ‘Microsoft / Google has identified an issue’ or a warning from BT (or your internet provider), or in the example below the Yahoo Security Team.
To be safe, check your browser notification settings and make sure it is only turned on for websites you trust, or turned off completely. Here are some of the common browser notification settings:
Google Chrome: chrome://settings/content/notifications
Microsoft Edge: edge://settings/content/notifications
Mozilla Firefox: about:preferences#privacy > Notifications > Settings
Apple Safari: Settings > Websites > Notifications
MacOS: Apple menu > System Settings > Notifications
Fraudsters sometimes reuse email templates or buy the same email kit on the dark web, and in the follow next two examples you can see that the same template has been used for fake subscription expiry emails for both NordVpn and McAfee antivirus.
Here, the fraudsters are looking to entice their victims with an 89% discount on renewal for 1 year, and to add to the pressure, the offer expires the same day. There are a couple of reality checks that you can do, firstly to good to be true renewal discounts over 80% are rare (that said O&O Software do have 92% sales) and secondly, offers will typically be a minimum of 3 days. Nearly forgot to mention, renewal emails with no branding are more than likely fake.
Also, if you think the email may be genuine, remember to check that you actually have the software mentioned on any renewal emails, and if you do, open the software and make sure the subscription expiry date and account details are the same.
Can you see that the same 89% renewal discount and same day offer expiry has been used in the second example below.
The main difference with the second example is the focus on a declined payment, which is why the subscription (supposedly) expired. In both template examples the sender email is not linked in any way to the service they claim to be alerting you about, which is an easy giveaway. That said, fake email addresses with variations of the brand may be utilised if the fraudster thinks it’s worth investing the time and effort (e.g. mcafee-renewal-support.com was available at the time of writing this for £10.99 a year) so even if the brand name is in the domain, it may not be real.
Also, be cautious of any emails that tell you that your computer is infected with x number of viruses. Every computer that I have removed viruses from, the installed antivirus was altered by the virus to stay undetected. Scans using the antivirus would result in a clean report. If your antivirus did find a virus, it will be warning about it itself within the application.