UK-based tech research company Comparitech audited 21 free Android antivirus apps and found out that 47-percent of them failed in one way or another. The researchers primarily uncovered flaws in the way each app handled privacy, advertising, and security.
The process was spearheaded by the organization's senior security researcher Khaled Sakr who investigated each app to determine its effectiveness. The company looked at the web management dashboard and all the associated backend services and also analyzed the built-in trackers that are often bundled in with popular antivirus apps.
Three of the apps tested had serious security flaws, while seven including AEGISLAB Antivirus Free, Zemana Antivirus & Security, NQ Mobile Security & Antivirus Free, MalwareFox Anti-Malware, Antiy AVL Pro Antivirus & Security, Brainiacs Antivirus System, Tap Technology Antivirus Mobile, and Fotoable Super Cleaner failed to detect a test virus. In most cases, apps are not doing what the vendors said they would do and most of them are also tracking users and selling their private information to ad exchanges.
Comparitech discovered that dfndr security fared the worst as far as privacy is concerned, as it has a lot of advertising trackers, which helps companies put targeted ads on the devices of users.
Apps from AEGISLAB, BullGuard, and VIPRE Mobile were found to have misconfigured web services, but the flaws were fixed by developers after Comparitech discovered them. VIPRE Mobile had an insecure direct object reference (IDOR) vulnerability which would have allowed attackers to access the address book of users. Based on Comparitech's estimates, more than a million contacts were susceptible to theft because of the broken access control. Some of the leaked contacts even had notes with sensitive private information.
Another IDOR vulnerability made it possible for cybercriminals to send fake virus alerts to VIPRE mobile users and the app also didn't deliver on its promise of backing up data securely as Comparitech was able to access sensitive information easily.
Prior to being patched, AEGISLAB's web services had numerous cross-site scripting (XSS) flaws which could have enabled remote attackers to execute malicious code and this would have paved the way for further attacks, especially phishing related ones. Similarly, BullGuard Mobile Security also had an IDOR vulnerability prior to being notified by Comparitech, which could have enabled a remote criminal to disable antivirus protection. There was also an XSS flaw in the app which might have been used by attackers to fish for personal data or hijack sessions.
Per Comparitech, part of the problem is that there isn't enough competition in the mobile antivirus and antimalware apps space since there aren't that many vendors. Existing vendors focus more on adding new features to differentiate themselves instead of improving their core functionalities. Moreover, since smartphone malware is not that common, developers get away with inferior products.
The onus is also on Play Store, as popular apps get promoted, and in this context, some apps with new features seem to be doing well, and not the few ones that actually get the job done. Khaled says that these problems can be prevented if companies strengthen their security wings instead of prioritizing their business unit.