The malware is delivered via email, and among other things, it misuses the system tray icon of the aforementioned legitimate software. Users clicking on the icon are faced with pop-up messages claiming that "Your Avast! Antivirus is being updated, wait" or "Avast! antivirus: Attention, your system is protected."
The Trojan is written in Delphi, and is small in size - only 386Kb - but it still manages to do nasty things such as trying to remove legitimate AV software from the infected computer before installing itself. Among the targeted software are solutions by Microsoft, Kaspersky, Panda, McAfee, Symantec, Avast, and others.
Bestuzhev speculates that the malware creators decided to disguise it as Avast AV because it's the most popular one in Brazil, and because people in Latin America still don’t want to pay when there is something to be had for free.
He also warns that Brazilian banking Trojans often come with fake descriptions, trying to pose as modules of different AV products:
Add to this the fact that some Brazilian banking malware is signed with valid digital certificates, and it's easy to see why cyber theft is rampant in Latin America.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.