New research has revealed the truly shocking state of Android phone security. The source of that security problem may well come as a surprise: antivirus apps designed to protect devices and users. Researchers at testing specialists Comparitech found that apps with more than 28 million installs between them were presenting attack paths and opportunities to threat actors looking to exploit vulnerabilities on the Android platform.
In total, Comparitech put 21 separate Android antivirus apps to the test over the course of many weeks. Some 47% of them failed in one way or other. Three apps contained serious security flaws, including a critical vulnerability exposing the address books of users which laid the details of an estimated million contacts bare. Another vulnerability made one app “very easy to disable remotely” by an attacker.
And that’s before I’ve even mentioned the apps that were unable to detect a virus used during the testing process, or how nearly all of them were found to be tracking their users according to the Comparitech researchers.
“Comparitech spent weeks testing popular free Android antivirus apps,” Aaron Phillips, a Comparitech researcher reported, “we looked for flaws in the way each vendor handles privacy, security, and advertising. The results were eye-opening.”
Contents
How were Android phones exposed to risk?
Comparitech’s senior security researcher, Khaled Sakr, took responsibility for the testing itself, looking at each application, its effectiveness, web management dashboard and any back-end services. The apps were also scrutinized for dangerous permissions and trackers embedded within them.
The conclusion was that in many cases at least, the user simply isn’t getting what the apps promised in their Play Store descriptions. While 47% of the apps failed the testing regime in some way, serious security flaws were uncovered in three apps.
Comparitech reports that it found “misconfigured web services,” affecting Vipre Mobile, AegisLab, and BullGuard which could “put user privacy and security at risk.”
The vendors were notified and, during June and July, worked with Comparitech to patch the vulnerabilities before the report was made public on August 1. “We can confirm all vulnerabilities were fixed,” Comparitech stated.
How else did Android antivirus apps fail?
The researchers also used a Metasploit payload which attempts to open a reverse shell on the Android phone without any attempt at obfuscation. Something that “every Android antivirus app should be able to detect and stop,” Comparitech insisted.
However, according to the research report, none of the following mobile antivirus apps were able to detect this “dangerous test virus:”
AegisLab Antivirus Free, Antiy AVL Pro Antivirus & Security, Brainiac’s Antivirus System, Fotoable Super Cleaner, MalwareFox Anti-Malware, NQ Mobile Security & Antivirus Free, Tap Technology Antivirus Mobile and Zemana Antivirus & Security.
What about privacy concerns?
Comparitech also looked for “dangerous permissions and advertising trackers,” to address privacy concerns with security apps. Google does, of course, already ensure that apps have to request approval from the user when these permissions could “affect the user’s privacy or the device’s normal operation.”
Comparitech singled out the “dfndr security: antivirus, anti-hacking & cleaner” app from PSafe as being the worst offender. “The sheer number of advertising trackers bundled with the app is impressive,” the report stated, continuing “as far as we can tell, dfndr puts users search and browser habits up for sale on every ad exchange there is.”
“We never, ever sold a single byte of users’ data to anyone. Period.” Marco DeMello, CEO of PSafe Inc which makes dfndr, says in response to the Comparitech findings, continuing “We don’t even collect any personally identifiable information (PII,) and all other data, again, is used locally for security purposes and never sold to anyone.” DeMello adds that the advertising software development kits (SKDs) that dfndr uses are implemented from Google, Facebook, Mopub and “in no case do we ever share any user data with these SDKs. We never have and never will sell user data.”
As far as the “dangerous permissions and advertising trackers,” that the Comparitech report says it looked for, are concerned, DeMello says that dfndr only asks for geo-location, camera, IMEI etc. permissions for an anti-theft feature, “which is 100% opt-in, and allows users to remotely wipe their phones.” DeMello says that only the owner can do that, PSafe cannot. This feature also allows users to receive location data and pictures of intruders if their phones are lost or stolen. “Only users that activate the anti-theft feature provide our dfndr app with these permissions,” DeMello insists, “and only for that purpose.”
In a statement emailed to me, DeMello also says: “Since January of this year we have blocked over 283 million phishing and 30 million malware attacks against our users. We detect and catalog over 3,000 malicious URLs per second across our userbase. We detect, notify and help users recover from leaked or stolen identities and credentials over 30K times per day. We’re one of the good guys.”
Android antivirus market is too big
Part of the problem, according to Comparitech, is that there really aren’t enough mobile viruses and malware to justify the size of the mobile antivirus market.
Indeed, if you take a look at the Kaspersky “Mobile malware evolution 2018” report, you will see that it blocked 116.5 million attacks using mobile malware and detected more than 5 million mobile malware installation packages, across both Android and iOS platforms.
Comparitech notes that an analysis of the Kaspersky numbers reveals that “only 10% of users in the U.S., 5% in Canada and 6% in the UK needed to be protected from a mobile threat last year.”
Is there a need for Android security apps?
Let’s not get too carried away with those tiny statistics; mobile malware is a real threat as 116.5 million attacks blocked by Kaspersky alone aptly demonstrate.
See my “Android ‘Sex Simulator Game’ Ransomware Spreads Using SMS Text Messages” report or the Thomas Brewster revelation that “25 Million Android Phones Infected With Malware That Hides In WhatsApp,” if you want more evidence of the threat.
I still recommend that Android users install an anti-malware app from one of the leading vendors, and these can often be found included as part of their Windows Internet security suites.
Lack of focus on Android antivirus itself to blame
However, the sheer size of the market does undoubtedly lead to some vendors adding features and functionality in an attempt to differentiate themselves from the ever-increasing number of competing apps. This seems to be where many of the security problems emerge, as Comparitech reported that “every vulnerability we found was with a system incidental to the actual virus scanning.”
Outside of the security app ecosystem itself, in July alone, it has been reported that 201 harmful apps were downloaded from the Google Play store some 32 million times between them.
We need antivirus and privacy apps for our Android devices, and we need organizations such as Comparitech to keep putting those apps to the test so users can be sure they are getting the protection that they are expecting.
I have attempted to contact every vendor mentioned in this article, but none had responded to my request for a statement at the time of publication. I will, of course, update this story with any vendor comment that I receive in due course.
[“source=forbes”]