Avira Free Antivirus Accused of Stealing User Passwords from Major Browsers

Konstantin Nikolenko (@Veliant), an employee at Doctor Web, shared on the Habr platform about questionable features found in the free antivirus product from Avira (Avira Free Antivirus). According to the researcher, one of the components in the free version collects user credentials.

First, Nikolenko draws attention to a component named Avira.PWM.NativeMessaging.exe, which is compiled for the .NET platform and is not obfuscated in any way. After analyzing part of the program, the specialist noted a function that reads data using “Read,” checks the format, and then passes the command to another function called “ProcessMessage.” This function checks if the received command matches “fetchChromePasswords” or “fetchCredentials.”

After this, as Nikolenko explains, “the most interesting part begins”: the function “RetrieveBrowserCredentials” is called. The name itself—“retrieve browser credentials”—already raises suspicions.

In practice, it turned out that “RetrieveBrowserCredentials” collects all user credentials saved in Chrome, Opera, Firefox, and Edge browsers. The data is then returned as a JSON object.

Nikolenko claims that he sent all the necessary information to Avira representatives on April 7, 2020. So far, the antivirus vendor has not provided any comments regarding the issue, which has been assigned its own identifier: CVE-2020-12680.