Popular PC clean-up tool CCleaner hijacked to distribute malware

18 Sep 2017

Millions of people use CCleaner to optimise the speed of their devices. Image: Natali_ Mis/Shutterstock

Users of the Avast-owned security application CCleaner for Windows are advised to update the software immediately.

Malicious software has slipped into CCleaner, a popular computer program that cleans up junk files and cookies to speed up your Android device or Windows PC.

CCleaner was developed by Piriform, and was purchased by Avast in July, with a reported 130m users at the time of the deal, according to Reuters.

Cisco’s Talos revealed today (18 September) in a blogpost that its team found a specific executable that was triggering its advanced malware protection systems during an analysis.

Malicious version active for weeks

The affected version of CCleaner was released on 15 August of this year, with an update following on 12 September. The malicious version was active in the several weeks between updates, leaving users vulnerable.

The payload could have made it possible for affected devices to download and execute other dangerous software varieties, including ransomware.

This particular attack is quite devious as users are far less likely to be suspicious of historically trusted antivirus and computer-optimisation apps and services such as CCleaner, highlighting the increasing sophistication of cybercrime collectives.

Another large-scale attack

In a security notice on the Piriform website, the company estimated that the affected users could number as many as 2.27m people but added that the problem had been swiftly resolved with no reported harm done to users.

Piriform insisted that the data was all encrypted, making it unlikely to be accessed, but this type of security incident is still worth noting due to its sheer scale.

CTO at Avast, Ondrej Vicek, told Forbes: “2.27m is certainly a large number, so we’re not downplaying in any way. It’s a serious incident. But, based on all the knowledge, we don’t think there’s any reason for users to panic.

“To the best of our knowledge, the second-stage payload never activated. It was prep for something bigger, but it was stopped before the attacker got the chance.”

Piriform is working with the authorities to determine the root of the attack.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com