Well-known antivirus vendor Avast has been unwittingly distributing a hacked program containing malware to millions of users for almost a month, Cisco's Talos security researchers have discovered.
The malware was discovered after it triggered Talos malware protection systems at a customer site.
On further analysis, Talos researchers found the Floxif information-stealing backdoor inserted into a signed version of Avast's CCleaner utility.
CCleaner is free system maintenance software that runs on Windows, with a claimed two billion downloads by November last year, and adding five million users a week.
Avast said in a statement that an estimated 2.27 million users had installed the trojanised version of CCleaner.
The affected version of CCleaner was released on August 15 and was available for download until September 12.
Avast bought the developers of CCleaner, Piriform, in July this year and incorporated the program into its suite of software tools.
Piriform has confirmed that version 5.33.6162 (Windows standalone binary) and version 1.07.3191 of the Cloud variant were hacked, and apologised to users.
Since the digital signature for the trojanised version of CCleaner was valid, Talos said it most likely meant the program development environment had been compromised by attackers to insert the malware.