Program.FakeAntiVirus
Program.FakeAntiVirus is Dr.Web’s detection name for fraudulent Android applications that imitate antivirus software. According to the provided content, these apps report nonexistent threats or infections and pressure users to purchase the full version of the software in order to supposedly remove them. The content characterizes them as fake apps/adware used for fraud rather than legitimate security tools. They were listed by Dr.Web among the common unwanted software observed in Android threat reporting for 2025, alongside other deceptive app categories such as fake money-making apps. No specific threat actor, industry targeting, infection vector beyond distribution as Android apps, or concrete indicators of compromise were provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Scareware-style unwanted apps that claim to detect threats and pressure users into paying for a 'full version'.
Fake antivirus/scareware that reports nonexistent infections to coerce payment for a ‘full version’.
Scareware/adware posing as antivirus; reports fake threats to coerce purchase of a 'full version'.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.