Two – thirds of all antivirus applications in Android are fraud

Android app fake

Only 23 Android antivirus applications had a detection rate of 100 percent without any false positive results.

In the report published this week, an organization specializing in testing antivirus products concluded that around two-thirds of all Android antivirus applications are shameful and are ineffective.

The report, published by the Austrian AV-Comparatives antivirus testing tool, is a result of a tough trial process in January this year and was followed by 250 Android antivirus applications in the Google Play Store.

The results of the report are tragicomic — with antivirus apps being detected as malware— and they show the dismal state of Android antivirus industry that seems to have more snake oilers than actual cyber security providers. Of the 250 applications tested, only 80 of them detected more than 30% of the malware they threw on each application during individual tests.

The tests were not complicated

Researchers installed each antivirus application on a separate unit (no emulator involved) and automated it to open the browser, download and then install the malicious app. They did that 2,000 times for each app and had the test device download 2000 of the wildest Android malware strains found last year–meaning that these strains should already have been indexed by all anti-virus applications for a long time.

Few apps don’t even scan for malware

The results, however, did not reflect this fundamental assumption. AV-Comparatives staff said many antivirus applications did not scan the apps that the user downloaded or installed, only used a whitelist approach and only looked at package names (instead of their code).

Essentially, some antivirus apps would default to any application that is installed on a user’s phone when the app’s package name wasn’t listed. This is why some antivirus applications were detected as malicious by forgetting to add their own package names to the whitelist.

In other cases, some antivirus apps used wildcards with entries like “com.adobe.” in their whitelist. In such cases, all the malware strain had to do was to use a “com.adobe.”[random text] package name to circumvent the scans of dozens of Android antivirus products.

The organization said that the 30% detection mark (with none false positive) was considered a threshold between legitimate antivirus applications and those that it deemed to be ineffectual or absolutely unsafe.

That means that 170 of the 250 Android antivirus applications had failed the most basic detection tests of the organization and were a shame for all purposes. “By amateur programmers and by software manufacturers not focused on security, most of the above applications, as well as the risky applications already mentioned, seem to have been developed,” the AV-Comparatives staff said.

antivirus-apps-collage

Source: AV-Comparatives

“The latter category, for example, is made up of developers who create all kinds of apps, who are in the advertising and monetization business or just want an Android security app for advertising,” researchers said. In addition, many of these applications also appeared to be developed on a assembly line by the same programmer.

During the last few months decades of applications were fed the same user interface and many were more interested in showing ads rather than a fully functioning malware scanner. The results of the AV-Comparatives study are no surprise to anyone in the cyber security world who has paid special attention to the Android antivirus scene.


For months ESET mobile malware analyst Lukas Stefanko has warned the public about these threats. Some of his past tweets confirm the study of AV-Comparatives, which revealed Android antivirus applications that are malware-detected.


Other findings from AV-Comparate: only 23 of the tested applications detected 100% of the malware samples.
16 apps were not properly migrated to Android 8, which reduces protection capabilities on newer versions of Android.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.