Two thirds of all Android antivirus apps are fraud


An organization specializing in testing antivirus products concluded this week in a report that about two-thirds of all Android antivirus apps are sham processes and do not work as advertised.

The report, published by AV-Comparatives, is a result of a debilitating test procedure that took place in January of this year and in which the employees of the organization looked at 250 Android antivirus apps available in the official Google Play Store.

The results of the report are tragicomic – with antivirus apps that detect themselves as malware – and are reflected in the miserable state of the Android antivirus industry, which appears to be filled with more snake oilers than actual cyber security vendors.

Only 80 of 250 apps have passed a standard detection test

The AV-Comparatives team said that only 80 of the 250 apps they tested detected more than 30 percent of the malware they threw at each app during individual tests.

The tests were not even that complicated. Researchers installed each antivirus app on a separate device (no affected emulator) and automated the device to open a browser, download a malicious app, and then install it.

They did this 2000 times for each app, with the tester downloading 2000 of the most common Android malware strains found in the wild last year – meaning that all antivirus apps had indexed these strains long ago.

Some apps do not really scan for malware

However, the results did not match this basic assumption. AV-Comparatives employees said that many antivirus apps do not actually scan the apps that the user was downloading or installing, but only used a white-list / black-list approach and only looked at the package names (instead of their code).

In essence, some antivirus apps flag any app installed on a user's phone as malicious, by default if the app's package name is not on the white list. This is why some antivirus apps have detected themselves as malicious when the authors of the apps forgot to add their own package names to the white list.

In other cases, some antivirus apps used wildcards in their whitelist, with entries such as "com.adobe. *".

In these cases, a malware variant only had to use the package name "com.adobe".[random_text]"to bypass scans of dozens of Android antivirus products.

Snake oilers everywhere !!!

The organization said it considered the 30 percent detection mark (with zero false positives) as a threshold between legitimate antivirus apps and those who considered it ineffective or downright unsafe.

That means that 170 of the 250 Android antivirus apps had failed on the most basic detection tests of the organization and were a sham for all intentions.

"Most of the above apps, as well as the aforementioned risky apps, appear to have been developed by amateur programmers or by software manufacturers who are not focused on the security business," said AV-Comparatives staff.

"Examples of the latter category are developers who create all kinds of apps, are in the advertising / revenue location business, or just want to have an Android security app in their portfolio for publicity reasons," researchers said.

Moreover, many of these apps also seemed to have been developed on an assembly line by the same programmer. Dozens of apps had the same user interface and many were more interested in displaying ads than having a fully functioning malware scanner.

Antivirus apps collage
Image: AV comparisons

The results of the AV Comparatives study are no surprise to anyone in the world of cyber security who has paid attention to the Android antivirus scene in recent months.

ESET analyst for mobile malware Lukas Stefanko has been warning the public for months about these threats.

Some of his earlier tweets confirm the AV comparative study, where the researcher discovers Android antivirus apps that detect themselves as malware …

Would you use AntiVirus that would detect itself as a risky app?

This Fake Antivirus 2019 only uses a blacklist & whitelist for app package names + authorization check. Still forgot to put himself on the white list.

– Lukas Stefanko (@LukasStefanko) November 28, 2018

… simulates malware scans …

Fake antivirus – 𝐒𝐝 𝐂𝐚𝐫𝐝 𝐕𝐢𝐫𝐮𝐬 𝐒𝐜𝐚𝐧𝐧𝐞𝐫 – has more than 10K installations, but does not scan files for malware.

Instead of scanning files, it sets a 10-millisecond delay on each file to mimic the file checking functionality. #DiscloseApp

– Lukas Stefanko (@LukasStefanko) September 13, 2018

… detect reputable apps as malicious

More than 100,000 people are protected by this fake antivirus.

It flags @signalapp and @PayPal as high-risk apps.
Use only reliable AV, not this mess that you uninstall almost all of your apps after scanning because the rules for nonsensical detection.

– Lukas Stefanko (@LukasStefanko) November 28, 2018

… or are the work of amateur developers, rather than established antivirus companies.

#FreeAndroidTip: Before installing an app, also check other apps for developers.

Developers of fake "Antivirus 2019" have a lot of free time, so they decided to make Solitaire games.
The company is unlikely to focus on solid software and also game development.

– Lukas Stefanko (@LukasStefanko) December 10, 2018

Other AV comparative study findings:

  • Only 23 of the apps tested have detected 100% of the malware samples.
  • 16 apps have not been properly migrated to Android 8, reducing their security options on newer Android versions.
  • Related coverage for cyber security: