https://www.bankinfosecurity.

com/

Enterprise Mobility Management / BYOD , Fraud Management & Cybercrime , Next-Generation Technologies & Secure
Development

Anti-Virus on Android: Beware of Low-

Quality Apps
More Than Half of AV Apps Are Ine ective, Testing Firm Finds
Jeremy Kirk (jeremy_kirk) • March 15, 2019    

Screenshots of Android anti-virus products (Source: AV Comparatives)

More than half of 250 anti-virus applications available in Google's Play Store o er
insu cient protection against malicious software, a security software testing rm reports.

Austria-based AV Comparatives warns that some of the security apps were so poorly
engineered that they detected themselves as malware. About 10 percent of the apps tested
appeared to come from amateur developers more focused on advertising and
monetization than security.

See Also: Live Webinar | Empowering Financial Services with a Secure Data Path From
Endpoint to Cloud

"Some of the Android security products in our test blocked so few of the malware samples -
in some cases literally none - that they cannot reasonably be described as anti-malware
apps," AV Comparatives says in a research report.

The o ering of so many ine ective or deceptive apps could prove confusing to users. The
number of times an app has been downloaded is not an accurate metric of quality, and
user reviews can be faked, AV Comparatives cautions.

Most of the tested apps had a review score of four or higher on Google Play's ve-star scale,
making it di cult for users to derive any meaningful, impartial information about an app's
e cacy, AV Comparatives reports.
"A successful scam app may be downloaded many times before it is found to be a scam,"
the company says. "A recent 'last updated' date also does not seem to be a good quality
indicator, as many low-scoring apps had relatively recent updates."

Malware Tests
For its tests, AV Comparatives ran 2,000 of the most common Android malware samples
from last year through the 250 anti-virus products, checking their detection and false-
positive rates.

The tests were conducted using physical phones - the Samsung Galaxy S9 - which ran
Android 8.0, known as Oreo. Some security apps couldn't run on Oreo; for those, AV
Comparatives used Android 6.01 running on a Nexus 5 instead.

The tests were straightforward: Open the Google Chrome browser on a clean phone,
download a malicious sample, open the .apk Android executable le in the le explorer app,
then install and execute it.

More than half of the apps - 138 out of 250 - either detected 30 percent or less of the
malicious samples or had high false-positive rates, meaning a non-malicious app gets
agged as being bad, AV Comparatives says.

Some apps failed a very basic test. AV Comparatives ran more than 100 legitimate apps
through the scanners in an e ort to gauge the false positive rate. "Several low-quality apps
detected as malware a number of the 100 clean and popular apps from the Google Play
Store," the company says.

Other security apps only seemed to be using black-and-white lists for virus detection. AV
Comparatives says it found more apps this year doing this than it did during tests the
organization conducted last year.

An example of an embedded whitelist in a security app (Source: AV Comparatives)

There can be risks in using whitelists. AV Comparative gives an example of JSON - JavaScript
Object Notation - a whitelist that includes an entry for ".com.Adobe."
"While this entry means that all genuine apps made by Adobe (such as the Acrobat Reader
app) will be regarded as safe, this mechanism also allows any malicious app to bypass the
security scan, simply by using 'com.adobe.*' as its package name," AV Comparatives writes.

One unexpected twist: AV Comparatives found some anti-virus apps failed to add
themselves to their own whitelist, which caused the app to ag itself as being malware.

Google Excises Apps

AV Comparatives says a handful of apps it tested have now been agged by other security
software as Trojans or "potentially unwanted applications," a category reserved for apps
that may have some legitimate functionality but also sport other, questionable features,
such as bombarding users with ads.

Google has removed security apps from 32 vendors from the Play Store in the last few
months. AV Comparatives says it expects the company to remove more.

In many ways, the Android anti-virus scene is similar to the desktop scene a decade ago. In
those days, researchers often found malware purporting to be anti-virus applications.

The desktop scams became more sophisticated later. Instead of masking malware as an
anti-virus product, the questionable products did actually have anti-malware functions but
at a much less e ective level than the best AV products.

The promoters of low-quality anti-virus products used a variety of search engine

optimization and other tricks to boost download rates. Some of the products were also
wrapped in with questionable tech support schemes, which have come under repeated
examination by the U.S. Federal Trade Commission.
About the Author

Jeremy Kirk
Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing
Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London
and Sydney covering computer security and privacy for International Data Group. Further back, he covered
military a airs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

© 2021 Information Security Media Group, Corp. https://www.bankinfosecurity.com/ Toll Free: (800) 944-0401