28 Million Android Phones Exposed To 'Eye-Opening' Attack Risk

Hacked alert on the screen of smartphone

Getty

New research has revealed the truly shocking state of Android phone security. The source of that security problem may well come as a surprise: antivirus apps designed to protect devices and users. Researchers at testing specialists Comparitech found that apps with more than 28 million installs between them were presenting attack paths and opportunities to threat actors looking to exploit vulnerabilities on the Android platform.

In total, Comparitech put 21 separate Android antivirus apps to the test over the course of many weeks. Some 47% of them failed in one way or other. Three apps contained serious security flaws, including a critical vulnerability exposing the address books of users which laid the details of an estimated million contacts bare. Another vulnerability made one app “very easy to disable remotely” by an attacker.

And that’s before I’ve even mentioned the apps that were unable to detect a virus used during the testing process, or how nearly all of them were found to be tracking their users according to the Comparitech researchers.

“Comparitech spent weeks testing popular free Android antivirus apps,” Aaron Phillips, a Comparitech researcher reported, “we looked for flaws in the way each vendor handles privacy, security, and advertising. The results were eye-opening.”

How were Android phones exposed to risk?

Comparitech’s senior security researcher, Khaled Sakr, took responsibility for the testing itself, looking at each application, its effectiveness, web management dashboard and any back-end services. The apps were also scrutinized for dangerous permissions and trackers embedded within them.

The conclusion was that in many cases at least, the user simply isn’t getting what the apps promised in their Play Store descriptions. While 47% of the apps failed the testing regime in some way, serious security flaws were uncovered in three apps.

Comparitech reports that it found “misconfigured web services,” affecting Vipre Mobile, AegisLab, and BullGuard which could “put user privacy and security at risk.”

The vendors were notified and, during June and July, worked with Comparitech to patch the vulnerabilities before the report was made public on August 1. “We can confirm all vulnerabilities were fixed,” Comparitech stated.

How else did Android antivirus apps fail?

The researchers also used a Metasploit payload which attempts to open a reverse shell on the Android phone without any attempt at obfuscation. Something that “every Android antivirus app should be able to detect and stop,” Comparitech insisted.

However, according to the research report, none of the following mobile antivirus apps were able to detect this “dangerous test virus:”

AegisLab Antivirus Free, Antiy AVL Pro Antivirus & Security, Brainiac’s Antivirus System, Fotoable Super Cleaner, MalwareFox Anti-Malware, NQ Mobile Security & Antivirus Free, Tap Technology Antivirus Mobile and Zemana Antivirus & Security.

What about privacy concerns?

Comparitech also looked for “dangerous permissions and advertising trackers,” to address privacy concerns with security apps. Google does, of course, already ensure that apps have to request approval from the user when these permissions could “affect the user’s privacy or the device’s normal operation.”

Comparitech singled out the “dfndr security: antivirus, anti-hacking & cleaner” app from PSafe as being the worst offender. “The sheer number of advertising trackers bundled with the app is impressive,” the report stated, continuing “as far as we can tell, dfndr puts users search and browser habits up for sale on every ad exchange there is.”

Android antivirus market is too big

Part of the problem, according to Comparitech, is that there really aren’t enough mobile viruses and malware to justify the size of the mobile antivirus market.

Indeed, if you take a look at the Kaspersky “Mobile malware evolution 2018” report, you will see that it blocked 116.5 million attacks using mobile malware and detected more than 5 million mobile malware installation packages, across both Android and iOS platforms.

Comparitech notes that an analysis of the Kaspersky numbers reveals that “only 10% of users in the U.S., 5% in Canada and 6% in the UK needed to be protected from a mobile threat last year.”

Is there a need for Android security apps?

Let’s not get too carried away with those tiny statistics; mobile malware is a real threat as 116.5 million attacks blocked by Kaspersky alone aptly demonstrate.

See my “Android ‘Sex Simulator Game’ Ransomware Spreads Using SMS Text Messages” report or the Thomas Brewster revelation that “25 Million Android Phones Infected With Malware That Hides In WhatsApp,” if you want more evidence of the threat.

I still recommend that Android users install an anti-malware app from one of the leading vendors, and these can often be found included as part of their Windows Internet security suites.

Lack of focus on Android antivirus itself to blame

However, the sheer size of the market does undoubtedly lead to some vendors adding features and functionality in an attempt to differentiate themselves from the ever-increasing number of competing apps. This seems to be where many of the security problems emerge, as Comparitech reported that “every vulnerability we found was with a system incidental to the actual virus scanning.”

Outside of the security app ecosystem itself, in July alone, it has been reported that 201 harmful apps were downloaded from the Google Play store some 32 million times between them.

We need antivirus and privacy apps for our Android devices, and we need organizations such as Comparitech to keep putting those apps to the test so users can be sure they are getting the protection that they are expecting.

I have attempted to contact every vendor mentioned in this article, but none had responded to my request for a statement at the time of publication. I will, of course, update this story with any vendor comment that I receive in due course.