Enterprise Mobility Management / BYOD , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Anti-Virus on Android: Beware of Low-Quality Apps

More Than Half of AV Apps Are Ineffective, Testing Firm Finds
Anti-Virus on Android: Beware of Low-Quality Apps
Screenshots of Android anti-virus products (Source: AV Comparatives)

More than half of 250 anti-virus applications available in Google's Play Store offer insufficient protection against malicious software, a security software testing firm reports.

Austria-based AV Comparatives warns that some of the security apps were so poorly engineered that they detected themselves as malware. About 10 percent of the apps tested appeared to come from amateur developers more focused on advertising and monetization than security.

See Also: 2019 Internet Security Threat Report

"Some of the Android security products in our test blocked so few of the malware samples - in some cases literally none - that they cannot reasonably be described as anti-malware apps," AV Comparatives says in a research report.

The offering of so many ineffective or deceptive apps could prove confusing to users. The number of times an app has been downloaded is not an accurate metric of quality, and user reviews can be faked, AV Comparatives cautions.

Most of the tested apps had a review score of four or higher on Google Play's five-star scale, making it difficult for users to derive any meaningful, impartial information about an app's efficacy, AV Comparatives reports.

"A successful scam app may be downloaded many times before it is found to be a scam," the company says. "A recent 'last updated' date also does not seem to be a good quality indicator, as many low-scoring apps had relatively recent updates."

Malware Tests

For its tests, AV Comparatives ran 2,000 of the most common Android malware samples from last year through the 250 anti-virus products, checking their detection and false-positive rates.

The tests were conducted using physical phones - the Samsung Galaxy S9 - which ran Android 8.0, known as Oreo. Some security apps couldn't run on Oreo; for those, AV Comparatives used Android 6.01 running on a Nexus 5 instead.

The tests were straightforward: Open the Google Chrome browser on a clean phone, download a malicious sample, open the .apk Android executable file in the file explorer app, then install and execute it.

More than half of the apps - 138 out of 250 - either detected 30 percent or less of the malicious samples or had high false-positive rates, meaning a non-malicious app gets flagged as being bad, AV Comparatives says.

Some apps failed a very basic test. AV Comparatives ran more than 100 legitimate apps through the scanners in an effort to gauge the false positive rate. "Several low-quality apps detected as malware a number of the 100 clean and popular apps from the Google Play Store," the company says.

Other security apps only seemed to be using black-and-white lists for virus detection. AV Comparatives says it found more apps this year doing this than it did during tests the organization conducted last year.

An example of an embedded whitelist in a security app (Source: AV Comparatives)

There can be risks in using whitelists. AV Comparative gives an example of JSON - JavaScript Object Notation - a whitelist that includes an entry for ".com.Adobe."

"While this entry means that all genuine apps made by Adobe (such as the Acrobat Reader app) will be regarded as safe, this mechanism also allows any malicious app to bypass the security scan, simply by using 'com.adobe.*' as its package name," AV Comparatives writes.

One unexpected twist: AV Comparatives found some anti-virus apps failed to add themselves to their own whitelist, which caused the app to flag itself as being malware.

Google Excises Apps

AV Comparatives says a handful of apps it tested have now been flagged by other security software as Trojans or "potentially unwanted applications," a category reserved for apps that may have some legitimate functionality but also sport other, questionable features, such as bombarding users with ads.

Google has removed security apps from 32 vendors from the Play Store in the last few months. AV Comparatives says it expects the company to remove more.

In many ways, the Android anti-virus scene is similar to the desktop scene a decade ago. In those days, researchers often found malware purporting to be anti-virus applications.

The desktop scams became more sophisticated later. Instead of masking malware as an anti-virus product, the questionable products did actually have anti-malware functions but at a much less effective level than the best AV products.

The promoters of low-quality anti-virus products used a variety of search engine optimization and other tricks to boost download rates. Some of the products were also wrapped in with questionable tech support schemes, which have come under repeated examination by the U.S. Federal Trade Commission.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.