The world of antivirus is already fraught. You’re basically inviting all-seeing, all-knowing software onto your device, trusting that it’ll keep the bad guys out and not abuse its own access in the process. On Android, that problem is compounded by dozens of apps that aren’t just ineffective—they’re outright phony.
That’s the finding of newly published research from AV-Comparatives, a European company that, as its name suggests, tests antivirus products. In a survey of 250 antivirus apps found in the Google Play Store, only 80 demonstrated basic competence at their jobs by detecting 30 percent or more of the 2,000 malicious apps AV-Comparatives threw at them. The remainder either failed to meet that benchmark, frequently mistook benign apps for malware, or have been pulled from the Play Store altogether. In other words, they stunk.
“In the past we and others found malicious apps, non-working apps, so it is not really a surprise to find some bogus AV apps as well,” says Peter Stelzhammer, COO of AV-Comparatives. “In the times of rogue AV software, you have to be aware of everything.”
Failure comes in many different colors, of course. Some antivirus apps AV-Comparatives tested actually did a decent job of blocking malicious apps, but introduced potential risks of their own. Several dozen products—all of which share a suspiciously similar user interface—relied on a “whitelist” approach, meaning that only specifically named apps were permitted to run on the device. Think of it as a bouncer in a club with a very strict guest list; anyone not on it has to go, whether they’re seedy or not.
The immediate ramification of that approach should be obvious: An antivirus that relies only on whitelisting will block lots of perfectly legitimate apps. In some cases, the AV-Comparatives study notes, the antivirus apps even forgot to whitelist themselves, creating an ouroboros of failure.
“In the times of rogue AV software, you have to be aware of everything.”
Peter Stelzhammer, AV-Comparatives
This sort of whitelisting introduces a secondary concern. These apps were coded to trust any package name that starts with, say, “com.adobe.” or “com.facebook.” But that also means hackers could name their malware com.facebook.bigbadvirus and still get through. Think again of our bouncer, who in this scenario has specific instructions to let John Stamos in the club any time he wants. Our friend would happily raise the rope for three raccoons in a trench coat, as long as they introduced themselves as John Stamos Raccoons.
Why go through all the trouble of pushing a fake, or at best deeply broken, antivirus app? To snap up users’ personal data, of course. Remember, antivirus apps by nature ask for, and generally receive, deep permissions. “Android apps like these are notorious for simply pushing more content on phones, but even more so they are simply used to gather data from the phone,” says Yonathan Klijnsma, head threat researcher at security intelligence firm RiskIQ. “This ranges from basic information like the model of the phones, towards live GPS polling, phone numbers, and any other personally identifiable information up for grabs.”
While Google has taken down plenty of these fraudulent apps, they still persist. It’s also unclear whether Google can reasonably be expected to face down the tide. “I am not sure what to expect from Google regarding these apps,” says Mohammad Mannan, a computer scientist at Concordia University who has researched antivirus software. “In general, Google as a market operator possibly cannot check all apps to verify if the apps meet their advertised obligations.” Google did not comment on what protections it has in place to keep fake or faulty antivirus software out of the Play Store. Mannan argues that in some ways it would be like penalizing a boring game for claiming it was “super exciting.”
The good news is that not all Android antivirus is worthless. AV-Comparatives found 23 apps that caught 100 percent of their malware samples, and several more that came close. If there’s a common thread among the more reliable choices, it’s that they tend to come from companies you’ve heard of, like F-Secure and Bitdefender and Symantec, to name a few. If you insist on installing antivirus for your Android phone, that remains your best rule of thumb.
“Download counts and reviews are not an option any more,” says Stelzhammer. “The reviews cannot say anything about the quality of protection, only about the ease of use, and this doesn’t mean that you are protected well enough. And they can be fake as well.”
On the other hand, you could also not install an antivirus app. Even good ones can be fooled, especially on a platform as permissive as Android. They drain resources at an aggravating rate. And a lot of the protection they offer can be achieved by simply staying away from third-party app stores in the first place. At best, they’ll help a little. At worst, they’ll hurt a lot.