Two-thirds of Android anti-malware tools on Google Play are useless

The 2019 Android Test results published by AV-Comparatives showed that most apps provide inadequate protection from malware

Research conduced by AV-testing lab proved that most of anti-virus apps on Google Play are unreliable and sometimes even malicious

AV-Comparatives, an Austrian independent body that tests and evaluates anti-virus software published a newly-conducted report^[1] which states that more than two-thirds of AV engines for Android mobile devices are absolutely useless and do not work as advertised.

The testing lab used 2,000 Android malware^[2] samples to check the effectiveness of 250 apps from the Google Play store. According to the press release, only 1 in 10 apps managed to hit the 100% detection rate, and most (over two-thirds) failed to beat the basic threshold of 30% pass rate. According to AV-Comparatives, most of bogus AV engine authors are driven by monetary gain and are not experienced enough to create reliable security software:

Most of the above apps, as well as the risky apps already mentioned, appear to have been developed either by amateur programmers or by software manufacturers that are not focused on the security business. Examples of the latter category are developers who make all kinds of apps, are in the advertisement/monetization business, or just want to have an Android protection app in their portfolio for publicity reasons.

Of course, such results might not come as a surprise, especially in the cybersecurity world. Unfortunately, many Android users are unaware of analysis that tests the credibility of such apps is performed in the first place.

The test procedure, the vendors, and way to choose the best ones

The 2019 Android test was conducted with the help of an automated testing framework, as doing so manually would be merely unpractical. Nevertheless, researchers assured that the computerized process “realistically simulates real-world conditions” and that the testing was done on actual Android devices instead of emulators. The 2,000 malware samples used on mostly Samsung Galaxy S9 (running Android Oreo) were those that were the most prominent during the year of 2018. Among them, such threats like Triada, Lokibot, and Hiddad.^[3]

80 of all tested apps passed a basic test, while only 23 of them managed to detect all malware samples. Among the leaders, you can find the most prominent names, including Avira, Sophos, Emsisoft, ESET, Bitdefender, McAfee, and others. The scores of 99% detection rate were shared between such vendors as Malwarebytes, CheckPoint, and VIPRE.

The problem with low scoring apps is that they are not made professionally, and not enough amount of research goes into the detection of malicious software. Of course, some titles use engines of reputable vendors, although their detection rates are still not as high as those of the original AV software.

Furthermore, most regular users have no idea how security software operates. So what do they go by? User reviews, download numbers, and ratings? Seems like it, because, as previously reported by ESET researcher, some fake anti-virus engines were highly rated and had 790,000 downloads!^[4]

However, it is relatively easy to choose a reputable application that will not give you a false sense of security. As the independent AV testing lab reports:

<…> we recommend using only apps of well-known, verified and reputable vendors. As well as participating in tests by independent test institutes, such vendors will have a professional website with contact information and a privacy policy. It should also be possible to try the app – typically a few weeks’ trial use is allowed – before purchasing. Users can then assess the usability and any additional features of the product.

Some anti-virus apps conduct fake scans and might be malicious itself

During the test, AV-Comparatives also managed to conclude that some apps are straight out dangerous. The test lab considered anti-virus apps which did not pass 30% (with no false-positives) detection rate unacceptable and straight out scams.

The research revealed that some low-scoring apps did not actually scanned the device for malware at all, but instead used a whitelist/blacklist scheme that uses package names for detection. As evident, such an approach is insufficient, as packages can be called whatever malicious actors want. Reputable AV engines analyze the code of the application to recognize if the payload is a threat.

Some apps actually marked all the applications malicious, as long as the name was not whitelisted. Ironically, due to this reason, some programs even label themselves as malicious.

Finally, the fake-scanners, which do not actually scan anything, are there to merely deliver advertisement, earning the revenue for the developers. Android users owners often complain about various pop-ups, banners, and other unwanted content being shown on their browsers, but they usually have no clue where they are coming from.

Who would have thought that the app that is meant to protect you from annoying and sometimes malicious activity performs such actions itself? Unfortunately, but as long as Google will not enforce stricter regulations to app developers, these trends will continue. Nevertheless, Google is trying to do so and is constantly removing inappropriate or malicious apps.^[5] 2019 Android Test will also result in those questionable app removals, as stated by researches.