47% of free Antivirus apps for android failed on a test


One of the main problems with enterprise mobile BYOD efforts is that corporate apps — and lots of corporate data, including sensitive intellectual property — start to coexist on the same device with all the stuffs the employees download for personal purpose. This isn’t the ideal thing, but even worse is if employees choose to download a second antivirus program. Having two apps for the same thing, for example: two VPNs, two word processors, two email programs, etc., antivirus programs may get some conflict and fight each other, and we can get false positives and unexpected results.

By having two antivirus it only doesn’t work well, but it will weaken the security of the smart devices. There are only few free antivirus for Android devices out there and those are that the employees choose to download. If the company already have installed a high-lever antivirus on the Android device, why does the employee pay to install a second one? The free versions are much more tempting for most scenarios.

I’ve found this a report from Comparitech and that’s alarming. The report has found that some free antivirus has adware and have a lot of violations of the user’s privacy. They’re not good when we talk about detecting viruses, even the most commons one. Truly, the report is so alarming that from the 21 free antivirus they tested, 47% of them failed detecting viruses on Android devices. You can find the test by clicking here.

“We found serious security flaws in three of the apps we tested and found seven apps that couldn’t detect a test virus. In total, 47% of the vendors we tested failed in some way,” Comparitech said in a blog post.

Seven free Android antiviruses couldn’t detect the presence of a known virus. “The Metasploit payload we used attempts to open a reverse shell on the device without obfuscation. It was built for exactly this sort of testing. Every Android antivirus app should be able to detect and stop the attempt,” said Comparitech in the blog post. According with Comparitech these are the apps that couldn’t detect the malware: Antiy AVL Pro Antivirus & Security, Tap Technology Antivirus Mobile, Brainiacs Antivirus System, Fotoable Super Cleaner, MalwareFox Anti-Malware, AEGISLAB Antivirus Free, NQ Mobile Security & Antivirus Free, and Zemana Antivirus & Security.

A lead researcher with Comparitech, Paul Bischoff, said this: “People are enticed by free.”

So, how these apps makes money? They generate revenue through a combination of adware and selling sensitive user’s information to third party. This violates privacy concerns, Bischoff said.

We could read in the blog this alarming statement: “In our analysis, dfndr security was far and away the worst offender. The sheer number of advertising trackers bundled with the app is impressive. As far as we can tell, dfndr puts users’ search and browser habits up for sale on every ad exchange there is,”. “Dfndr also requests permission to access fine location data, access the camera, read and write contacts, look through the address book, and grab the IMEI (unique ID) and phone number of the device.” It is like allowing someone to track everything about your digital life. And the sad story about this is that they’re sold online.

There’s another privacy concern according to Comparitech, the problem is about the Antivirus VIPRE, the sad here is that when you go to www.vipre.com and if you search for it on google you can find this title in the first search result: The Best Antivirus Protection For Home & Business | VIPRE. But based on the test that Comparitech did, they have the following comment about them in the blog note: “Using the online dashboard, we discovered it was possible for attackers to access the address books of VIPRE Mobile users with cloud sync enabled. Based on our proof-of-concept and the popularity of the app, we estimate more than a million contacts were sitting on the web unsecured. The flaw was caused by broken or poorly implemented access control, which manifests as an insecure direct object reference (IDOR) vulnerability in VIPRE Mobile’s backend. The script responsible only checked to make sure the attacker was logged in. No further checking was done to ensure the request was being performed by the proper device or account.”

Another antivirus that have fallen in this terrible test was BullGuard. They said that worked with them to “fix the hole they found”.

“BullGuard Mobile Security was affected by an IDOR vulnerability, which allowed a remote attacker to disable antivirus protection. We found it would be trivial for an attacker to iterate through customer IDs and disable BullGuard on every device. Our testing found the request generated when a user shuts off antivirus protection can be captured and altered. By changing the user ID in this request, antivirus protection on any device can be disabled. Access control did not appear to be in place to ensure the correct user was making the request. We discovered one of the scripts responsible for processing new users on the BullGuard website is also vulnerable to XSS. The script in question doesn’t sanitize any parameters passed to it, which enables an attacker to run malicious code. In this case, it was trivial to display an alert on the page. In other cases, adversaries might use this vulnerability to hijack sessions, harvest personal data, or carry out several attacks. For example, high trust websites like BullGuard make an ideal platform for phishing campaigns.” We read on the Comparitech public blog.

Based on Comparitech comments, they said that the BullGuard hole was impressively bad. “The IDOR vulnerability is as embarrassing as it gets for an antivirus vendor. Users rely on antivirus software as a line of defense for their devices, so when it can be disabled silently and remotely, that’s a devastating blow. BullGuard repaired both vulnerabilities, now they need to work on repairing their reputation with users.”

Base on the comments of Bischoff, he said the research results weren’t all bad, stating that almost all vendors worked well with their antiviruses. When asked wich free antivirus for Android are the best, he said that “MalwareBytes and Komono are good”.

Enterprise IT should pay attention this report because it can be an issue and could lead to a data breach for enterprise information. We know that most of the small businesses and enterprise IT department don’t include in their budget to buy a high-level antivirus for the corporate and BYOD phones. With this comparison report IT departments should look for a way to install only high-level antiviruses for Android devices even for corporate owned phones and for those on the BYOD program.