An organization specialized in testing antivirus products concluded in a report published this week that roughly two-thirds of all Android antivirus apps are a sham and don't work as advertised.
The report, published by Austrian antivirus testing outfit AV-Comparatives, was the result of a grueling testing process that took place in January this year and during which the organization's staff looked at 250 Android antivirus apps available on the official Google Play Store.
The report's results are tragicomical --with antivirus apps detecting themselves as malware-- and come to show the sorry state of Android antivirus industry, which appears to be filled with more snake-oilers than actual cyber-security vendors.
The AV-Comparatives team said that out of the 250 apps they've tested, only 80 detected more than 30 percent of the malware they threw at each app during individual tests.
The tests weren't even that complicated. Researchers installed each antivirus app on a separate device (no emulator involved) and automated the device to open a browser, download a malicious app, and then install it.
They did this 2,000 times for each app, having the test device download 2,000 of the most common Android malware strains found in the wild last year --meaning that all antivirus apps should have already indexed these strains a long time ago.
However, results didn't reflect this basic assumption. AV-Comparatives staffers said that many antivirus apps didn't actually scan the apps the user was downloading or installing, but merely used a whitelist/blacklist approach, and merely looked at the package names (instead of their code).
Essentially, some antivirus apps would mark any app installed on a user's phone as malicious, by default, if the app's package name wasn't included in its whitelist. This is why some antivirus apps detected themselves as malicious when the apps' authors forgot to add their own package names to the whitelist.
In other cases, some antivirus apps used wildcards in their whitelist, with entries such as "com.adobe.*".
In these cases, all a malware strain had to do was to use a package name of "com.adobe.[random_text]" to bypass the scans of tens of Android antivirus products.
The organization said it considered the 30 percent detection mark (with zero false positives) as a threshold between legitimate antivirus apps and those it considered ineffective or downright unsafe.
That means that 170 of the 250 Android antivirus apps had failed the organization's most basic detection tests, and were, for all intent and purposes, a sham.
"Most of the above apps, as well as the risky apps already mentioned, appear to have been developed either by amateur programmers or by software manufacturers that are not focused on the security business," the AV-Comparatives staff said.
"Examples of the latter category are developers who make all kinds of apps, are in the advertisement/monetization business, or just want to have an Android protection app in their portfolio for publicity reasons," researchers said.
Furthermore, many of these apps also appeared to have been developed by the same programmer on an assembly line. Tens of apps sported the same user interface, and many were more interested in showing ads, rather than having a fully running malware scanner.
The results of the AV-Comparatives study is no surprise for anyone in the cyber-security world who's paid attention to the Android antivirus scene in the past few months.
ESET mobile malware analyst Lukas Stefanko has been warning the public against these threats for months.
Some of his past tweets confirm the AV-Comparatives study, with the researcher uncovering Android antivirus apps that detect themselves as malware...
... mimic malware scans altogether...
... detect reputable apps as malicious
... or are the work of amateur developers, rather than established antivirus firms.
Other AV-Comparative study findings: