The world of antivirus is already fraught. You’re basically inviting all-seeing, all-knowing software onto your device, trusting that it’ll keep the bad guys out and not abuse its own access in the process. On Android, that problem is compounded by dozens of apps that aren’t just ineffective—they’re outright phony.
That’s the finding of newly published research from AV-Comparatives, a European company that, as its name suggests, tests antivirus products. In a survey of 250 antivirus apps found in the Google Play Store, only 80 demonstrated basic competence at their jobs by detecting 30 percent or more of the 2,000 malicious apps AV-Comparatives threw at them. The remainder either failed to meet that benchmark, frequently mistook benign apps for malware, or have been pulled from the Play Store altogether. In other words, they stunk.
“In the past we and others found malicious apps, non-working apps, so it is not really a surprise to find some bogus AV apps as well,” says Peter Stelzhammer, COO of AV-Comparatives. “In the times of rogue AV software, you have to be aware of everything.”
Failure comes in many different colors, of course. Some antivirus apps AV-Comparatives tested actually did a decent job of blocking malicious apps, but introduced potential risks of their own. Several dozen products—all of which share a suspiciously similar user interface—relied on a “whitelist” approach, meaning that only specifically named apps were permitted to run on the device. Think of it as a bouncer in a club with a very strict guest list; anyone not on it has to go, whether they’re seedy or not.
The immediate ramification of that approach should be obvious: An antivirus that relies only on whitelisting will block lots of perfectly legitimate apps. In some cases, the AV-Comparatives study notes, the antivirus apps even forgot to whitelist themselves, creating an ouroboros of failure.
“In the times of rogue AV software, you have to be aware of everything.”
Peter Stelzhammer, AV-Comparatives
This sort of whitelisting introduces a secondary concern. These apps were coded to trust any package name that starts with, say, "com.adobe. " or "com.facebook. " But that also means hackers could name their malware com.facebook.bigbadvirus and still get through. Think again of our bouncer, who in this scenario has specific instructions to let John Stamos in the club any time he wants. Our friend would happily raise the rope for three raccoons in a trench coat, as long as they introduced themselves as John Stamos Raccoons.
Why go through all the trouble of pushing a fake, or at best deeply broken, antivirus app? To snap up users' personal data, of course. Remember, antivirus apps by nature ask for, and generally receive, deep permissions. “Android apps like these are notorious for simply pushing more content on phones, but even more so they are simply used to gather data from the phone,” says Yonathan Klijnsma, head threat researcher at security intelligence firm RiskIQ. “This ranges from basic information like the model of the phones, towards live GPS polling, phone numbers, and any other personally identifiable information up for grabs.”
While Google has taken down plenty of these fraudulent apps, they still persist. It’s also unclear whether Google can reasonably be expected to face down the tide. “I am not sure what to expect from Google regarding these apps,” says Mohammad Mannan, a computer scientist at Concordia University who has researched antivirus software. “In general, Google as a market operator possibly cannot check all apps to verify if the apps meet their advertised obligations.” Google did not comment on what protections it has in place to keep fake or faulty antivirus software out of the Play Store. Mannan argues that in some ways it would be like penalizing a boring game for claiming it was “super exciting.”
The good news is that not all Android antivirus is worthless. AV-Comparatives found 23 apps that caught 100 percent of their malware samples, and several more that came close. If there's a common thread among the more reliable choices, it's that they tend to come from companies you’ve heard of, like F-Secure and Bitdefender and Symantec, to name a few. If you insist on installing antivirus for your Android phone, that remains your best rule of thumb.
“Download counts and reviews are not an option any more,” says Stelzhammer. “The reviews cannot say anything about the quality of protection, only about the ease of use, and this doesn’t mean that you are protected well enough. And they can be fake as well.”
On the other hand, you could also not install an antivirus app. Even good ones can be fooled, especially on a platform as permissive as Android. They drain resources at an aggravating rate. And a lot of the protection they offer can be achieved by simply staying away from third-party app stores in the first place. At best, they’ll help a little. At worst, they’ll hurt a lot.
- Freitag's latest bags have a funky new ingredient
- When Facebook goes down, don't blame hackers
- Can machines tell when patients are about to die?
- How Google influences the conversation in Washington
- A genetic mutation to hint why birth control can fail
- 👀 Looking for the latest gadgets? Check out our latest buying guides and best deals all year round
- 📩 Get even more of our inside scoops with our weekly Backchannel newsletter
Flooding the Zone In an 16-month study of 1.5 billion tweets, Zubair Shafiq, a computer science professor at the University of Iowa, and his graduate student Shehroze Farooqi, identified more than 167,000 apps using Twitter's API to automate bot accounts that spread tens of millions of tweets pushing spam, links to malware, and astroturfing campaigns.