How the Fake Avast Scam Works
A phishing site mimicking Avast’s antivirus brand tricks users into downloading Venom Stealer malware. The attack begins with a fake virus scan that falsely claims your system is infected. When users attempt to “fix” the issue, they’re handed a malicious file disguised as a security tool.
Fake Scans and Malicious Payloads
The phishing page replicates Avast’s branding, including logos and navigation, to build trust. After running a staged scan, it displays fabricated results: three threats found, three removed. The “solution” is a file named Avast_system_cleaner.exe, which is actually Venom Stealer. This malware steals passwords, browser cookies, and cryptocurrency wallet data.
Malware Disguised as Chrome Services
Once executed, the malware copies itself into Chrome’s application directory as v20svc.exe, blending in with legitimate software. It uses a crypter to evade detection, and only 27% of antivirus tools flagged it on VirusTotal. The malware’s code includes debug artifacts like crypter_stub.pdb, confirming its malicious intent.
What the Malware Steals
- Browser Credentials: Harvests saved passwords and session cookies from Chrome, Edge, and Firefox.
- Cryptocurrency Wallets: Targets desktop wallets to steal private keys and balances.
- System Data: Takes screenshots and writes session tracking files to mimic legitimate Windows processes.
Data Exfiltration Tactics
Stolen data is sent to a domain named app-metrics-cdn.com, disguised as an analytics service. The malware uses HTTP (not HTTPS) to avoid detection and sends data in structured JSON and multipart form formats. It also checks for debuggers and virtual machines to evade analysis.
How to Protect Yourself
Scams like this exploit urgency and trust in security brands. To stay safe:
- Only download security software from official websites like avast.com.
- Avoid clicking links in unsolicited emails or search ads.
- Scan suspicious files with multiple antivirus tools before opening them.
What to Do If You’re Affected
If you suspect exposure, disconnect from the internet, run a full system scan, and change all passwords. Use a dedicated malware removal tool like Malwarebytes to clean your system thoroughly.
Why This Scam Works
Impersonating trusted brands is a repeatable tactic. In 2025, similar campaigns targeted Bitdefender, distributing Venom RAT alongside StormKitty stealer. Attackers rely on fear and urgency to bypass user skepticism. Always verify the source of security tools before downloading.
Conclusion
The fake Avast site is a sophisticated phishing scam designed to steal sensitive data. By understanding how these attacks work and following basic security practices, you can avoid falling victim. Stay vigilant, and always verify the authenticity of security tools before use.
