An organization specialized in testing antivirus products concluded in a report published this week that roughly two-thirds of all Android antivirus apps are a sham and don’t work as advertised.
The report, published by Austrian antivirus testing outfit AV-Comparatives, was the result of a grueling testing process that took place in January this year and during which the organization’s staff looked at 250 Android antivirus apps available on the official Google Play Store.
The report’s results are tragicomical –with antivirus apps detecting themselves as malware– and come to show the sorry state of Android antivirus industry, which appears to be filled with more snake-oilers than actual cyber-security vendors.
Only 80 of 250 apps passed a basic detection test
The AV-Comparatives team said that out of the 250 apps they’ve tested, only 80 detected more than 30 percent of the malware they threw at each app during individual tests.
The tests weren’t even that complicated. Researchers installed each antivirus app on a separate device (no emulator involved) and automated the device to open a browser, download a malicious app, and then install it.
They did this 2,000 times for each app, having the test device download 2,000 of the most common Android malware strains found in the wild last year –meaning that all antivirus apps should have already indexed these strains a long time ago.
Some apps don’t actually scan for malware
However, results didn’t reflect this basic assumption. AV-Comparatives staffers said that many antivirus apps didn’t actually scan the apps the user was downloading or installing, but merely used a whitelist/blacklist approach, and merely looked at the package names (instead of their code).
Essentially, some antivirus apps would mark any app installed on a user’s phone as malicious, by default, if the app’s package name wasn’t included in its whitelist. This is why some antivirus apps detected themselves as malicious when the apps’ authors forgot to add their own package names to the whitelist.
In other cases, some antivirus apps used wildcards in their whitelist, with entries such as “com.adobe.*”.
In these cases, all a malware strain had to do was to use a package name of “com.adobe.[random_text]” to bypass the scans of tens of Android antivirus products.
The organization said it considered the 30 percent detection mark (with zero false positives) as a threshold between legitimate antivirus apps and those it considered ineffective or downright unsafe.
That means that 170 of the 250 Android antivirus apps had failed the organization’s most basic detection tests, and were, for all intent and purposes, a sham.
“Most of the above apps, as well as the risky apps already mentioned, appear to have been developed either by amateur programmers or by software manufacturers that are not focused on the security business,” the AV-Comparatives staff said.
“Examples of the latter category are developers who make all kinds of apps, are in the advertisement/monetization business, or just want to have an Android protection app in their portfolio for publicity reasons,” researchers said.
Furthermore, many of these apps also appeared to have been developed by the same programmer on an assembly line. Tens of apps sported the same user interface, and many were more interested in showing ads, rather than having a fully running malware scanner.
The results of the AV-Comparatives study is no surprise for anyone in the cyber-security world who’s paid attention to the Android antivirus scene in the past few months.
ESET mobile malware analyst Lukas Stefanko has been warning the public against these threats for months.
Some of his past tweets confirm the AV-Comparatives study, with the researcher uncovering Android antivirus apps that detect themselves as malware…
Would you use AntiVirus that detect itself as risky app?
This Fake Antivirus 2019 uses only blacklist & whitelist for package names of apps + permissions check. Still forget to whitelist itself. pic.twitter.com/CdvlPkGPvL
— Lukas Stefanko (@LukasStefanko) November 28, 2018
… mimic malware scans altogether…
Fake antivirus – 𝐒𝐝 𝐂𝐚𝐫𝐝 𝐕𝐢𝐫𝐮𝐬 𝐒𝐜𝐚𝐧𝐧𝐞𝐫 – has over 10K installs but isn’t scanning any files for malware.
— Lukas Stefanko (@LukasStefanko) September 13, 2018
… detect reputable apps as malicious
Over 100,000 people are protected by this fake Antivirus.
It flags @signalapp and @PayPal as apps with high risk.
Use only trustworthy AV, not this garbage that after scan makes you uninstall almost all of your apps because its nonsense detection rules. pic.twitter.com/iy5L8fscOG
— Lukas Stefanko (@LukasStefanko) November 28, 2018
… or are the work of amateur developers, rather than established antivirus firms.
#FreeAndroidTip: Before installing an app, check other developer apps too.
Developers of fake “Antivirus 2019” have a lot of spare time, so they decided to create Solitaire game.
It is unlikely for company to focus on solid software and also game development. pic.twitter.com/els6nJBmqj
— Lukas Stefanko (@LukasStefanko) December 10, 2018
Other AV-Comparative study findings:
- Only 23 of the tested apps detected 100% of the malware samples.
- 16 apps have not been migrated to Android 8 properly, decreasing their protection capabilities on newer Android versions.