Android antivirus software relatively easy to beat
Android virus scanners have been around for several years now, and are installed on hundreds of millions of Android phones (based on the inaccurate ranges that the Play Store provides for installation statistics). A portion of these installs are likely to be due to partnerships (bloatware?) on new phones, but the sheer number of installs show that many users consider Android virus scanners as an important piece of software.
Researchers at Georgia Tech developed a tool, named AVPass, to put 58 of these antivirus apps through a series of tests designed to sneak malware onto the device without activating the antivirus protection. Interestingly, only two of the applications (Ahnlabs and WhiteArmour) consistently blocked their infection attempts. Wolotsky, one of the researchers, says "We can’t say for sure that we can bypass the other 56 AVs 100% of the time; however, in our tests we were almost always able to do so". Respected antivirus tester, AV-Test, rated Ahnlabs first equal in their May 2017 testing with a 100% detection rate of their malware sample kit, showing that it has high accuracy during regular testing too.
The reason that so many of the apps can be bypassed is that they appear to use relatively simple detection rules, similar to how PC antiviruses worked several years ago. Android antivirus apps are often focused on scanning other apps on the phone, to detect rogue apps from the Play Store or malicious APKs that the user has downloaded. For android phones in their default state, where the user doesn't have root access, and the phone is only set to allow installations from the Play Store, the vectors for attack are much more limited than on a computer.
The researchers are presenting their work at the Black Hat USA 2017 conference in Las Vegas, where they hope Android antivirus developers will see the benefits of using the data generated by the AVPass tool to improve the protection their apps offer.