Notebookcheck Logo

Android antivirus software relatively easy to beat

Virus infections are relatively rare on Android, but the risk increases when the user allows side loading of apk files. (Source: gfkDSGN/Pixabay)
Virus infections are relatively rare on Android, but the risk increases when the user allows side loading of apk files. (Source: gfkDSGN/Pixabay)
Researchers at Georgia Tech were able to bypass the protection of 97% of the popular Android antivirus applications tested. The detection rules used by most of the programs appear to be relatively basic, and by presenting their results at the Black Hat USA 2017 conference, the researchers are hoping that developers can improve the performance of their scanners.

Android virus scanners have been around for several years now, and are installed on hundreds of millions of Android phones (based on the inaccurate ranges that the Play Store provides for installation statistics). A portion of these installs are likely to be due to partnerships (bloatware?) on new phones, but the sheer number of installs show that many users consider Android virus scanners as an important piece of software.

Researchers at Georgia Tech developed a tool, named AVPass, to put 58 of these antivirus apps through a series of tests designed to sneak malware onto the device without activating the antivirus protection. Interestingly, only two of the applications (Ahnlabs and WhiteArmour) consistently blocked their infection attempts. Wolotsky, one of the researchers, says "We can’t say for sure that we can bypass the other 56 AVs 100% of the time; however, in our tests we were almost always able to do so". Respected antivirus tester, AV-Test, rated Ahnlabs first equal in their May 2017 testing with a 100% detection rate of their malware sample kit, showing that it has high accuracy during regular testing too.

The reason that so many of the apps can be bypassed is that they appear to use relatively simple detection rules, similar to how PC antiviruses worked several years ago. Android antivirus apps are often focused on scanning other apps on the phone, to detect rogue apps from the Play Store or malicious APKs that the user has downloaded. For android phones in their default state, where the user doesn't have root access, and the phone is only set to allow installations from the Play Store, the vectors for attack are much more limited than on a computer.

The researchers are presenting their work at the Black Hat USA 2017 conference in Las Vegas, where they hope Android antivirus developers will see the benefits of using the data generated by the AVPass tool to improve the protection their apps offer.


static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
Craig Ward, 2017-07-24 (Update: 2017-07-24)