Also known as: Fake antivirus, rogue antivirus, rogue
Category: Malware
Type: Trojan, scareware, rogueware, ransomware
Platform: Any
Variants: MSIL/FakeAV, Win32/FakeRean, Win32/Winwebsec (System Progressive Protection), Windows Stability Center, Mac Defender, Mac Protector, Mac Security, Mac Guard, Mac Shield, FakeMacDef, Win32/Defru, Win32/OneScan, Win32/FakeXPA, Win32/FakePAV, JS/FakeAlert, Win32/FakeCog, Win32/FakeScanti, Win32/FakeVimes, Win32/Vakcune, Win32/SpySheriff, Win32/Renos, Win32/FakeSecSen
Damage potential: Extortion of money, data theft, opening backdoors for other malware (like ransomware), compromised system functions
Overview
FakeAV is a common label for a broad class of malware that tries to trick victims into purchasing fake antivirus products or downloading other malware. To convince the user that they need to take action, FakeAV may display made-up threats or subtly interfere with system activity (for example, by disabling the Task Manager), asking the user to install additional software or pay to completely remove the fake infections.
Possible symptoms
If your system is infected, FakeAV will frequently interrupt your activities to run virus scans and display threat warnings. In reality, the scan results are completely fabricated (or simply display files seeded by FakeAV itself). You will also see website advertisements and browser pop ups pretending to be virus scanners, as well as system tray notifications with fake warnings from your operating system.
Other possible indicators of a FakeAV infection include:
- Your device frequently freezes or stutters.
- Your device’s fan seems to be constantly on, even when the device is idle.
- Your device periodically sends data to unknown remote servers (FakeAV is uploading victim information to its handlers).
- You notice that some system functions (such as the Task Manager or the Registry Editor) are disabled.
- Requests to certain webpages (typically for websites operated by legitimate cybersecurity providers) are redirected or display error messages.
Sources of the infection
Many FakeAV variants need to be installed on the system from an installer executable, so attackers typically rely on social engineering attacks (like phishing emails) to deliver the payload. The installer may be disguised as or come bundled with legitimate software to trick the victim.
Your device may also get infected with FakeAV from:
- Infected files shared through messaging platforms.
- Infected files downloaded from cloud storage or online repositories.
- Fake websites that are pushed to the top of search engine results using SEO poisoning techniques.
- Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
- Other malware (such as TDSS, Virtumundo, and Waled) that downloads FakeAV as part of its operations.
- Peer-to-peer (P2P) sharing of infected files.
- Infected external devices, such as hard drives or USB sticks.
Protection
To avoid a FakeAV infection, you need to know how to deal with social engineering attacks (such as phishing emails) and develop good cybersecurity habits. Do not download or open suspicious files from emails, messaging apps, or unverified sites — and make sure to scan each download with reputable anti malware tools just to be safe.
Other protective measures include:
- Use email scanning tools to identify and automatically block messages with suspicious attachments.
- Learn to ignore fake reports — for example, unexpected browser pop-ups claiming that a threat was detected may be trying to shock you into downloading FakeAV. Familiarize yourself with the cybersecurity tools you use to be able to distinguish their reports from FakeAV messages.
- Use reliable and reputable antivirus software to detect, quarantine, and eliminate a FakeAV infection.
- Avoid potentially dangerous websites, like dark web pages or torrent repositories. These websites may attempt to install malware (including FakeAV) on your device as soon as you open them.
- Use NordVPN’s Threat Protection Pro to scan programs and files for malware while they’re being downloaded. Threat Protection Pro will also alert you if you’re about to enter a known infected website and hopefully prevent drive-by download attacks.
Removal
The best way to remove an existing FakeAV infection is to use reputable antivirus software. You can try removing the malware manually while in Safe Mode, but keep in mind that FakeAV frequently stores copies of itself in multiple locations on your system and may be reinstalled after you reboot the device.