
Two-thirds of all Android antivirus apps are frauds - mpweiher
https://www.zdnet.com/article/two-thirds-of-all-android-antivirus-apps-are-frauds/
======
grawprog
Whenever i see anything about android anti-virus apps I've always been
confused about what it is they actually look for. Every app on an android
phone has fine grained permission management and for anything you give
specific access to system functions(like drawing over other apps) to, you have
to go to a specific extra permission enabling screen full of warnings to
enable it.

I understand there's apps with malicious things buried in them, but how can an
antivirus determine between something like that and something benign?

As far as i can tell, traditional viruses, the way the work on windows and dos
systems, just wouldn't work on android.

I'm not sure if i'm just missing something, but this article kind of confirms
my suspicions. It just seems like you'd have to be really fucking around, or
just completely and utterly oblivious to some very obvious red flags, to
install a straight up virus on android.

~~~
ignoramous
> As far as i can tell, traditional viruses, the way the work on windows and
> dos systems, just wouldn't work on android.

You might be interested in reading Google's guidelines on what they consider
to be a "potentially harmful application" (PHA) [0].

> [..] anything you give specific access to system functions(like drawing over
> other apps) to, you have to go to a specific extra permission enabling
> screen full of warnings to enable it.

Oh despite the on-device on-use/first-use consent, the android app ecosystem
was a big mess before Google started auto-detecting rouge apps and booting
them out of play store.

Even today, despite GooglePlayProtect, I occasionally find my friends
complaining about apps hijacking their phones to show ads and sometimes be
very hard to dismiss, and they do not absolutely know what to do
(disable/uninstall no longer used apps, revoke permissions, disable
notifications). They'd install anti-viruses in hope that it would help fix
that.

> how can an antivirus determine between something like that and something
> benign

Not sure what anti-viruses do, but some examples from Google's 2018 report on
how they fished out PHAs using static/dynamic analysis of apks and machine
learning [1]:

1\. Re-packaged game apps with data-hoarding/adware.

2\. Click-fraud apps (see above).

3\. Suspension of key device functionality (on a rooted device, esp).

> It just seems like you'd have to be really fucking around, [..] to install a
> straight up virus on android.

You might be right: A good percentage of 2bn active android users might be
doing just that.

\--

[0]
[https://source.android.com/security/reports/Google_Android_S...](https://source.android.com/security/reports/Google_Android_Security_PHA_classifications.pdf)

[1] [https://security.googleblog.com/2019/01/pha-family-
highlight...](https://security.googleblog.com/2019/01/pha-family-highlights-
zen-and-its.html)

~~~
pitaj
But do apps from the play store have the system permissions to carry out those
operations on other apps?

I don't think they do.

------
craftoman
Every antivirus app is a fraud. I stopped using them about 10 years now, I
only use firewall and haven't got any problems. There's also some great
firewall apps for Android that have logging and stuff, pretty useful.

~~~
wangchungtonite
I have never owned an android phone and honestly did not know that there were
antivirus apps for the phone. That makes me glad that I never owned one. Are
viruses much of a concern for android phones?

~~~
viraptor
This is really not Android-specific: [https://top8antivirus.com/ios-antivirus-
comparison/](https://top8antivirus.com/ios-antivirus-comparison/)

But it's mostly a scam. Unless you really go for dodgy apps, it's all fine.

------
MBCook
And 100% of iOS ones are. Why are they even allowed in the App Store?

~~~
drusepth
This comment is breaking my brain.

If 100% of iOS antivirus apps are fraud, that implies they do nothing
(probably because of permissions) and/or there are no viruses on iOS to even
find, no? If that's the case, that'd further imply those antivirus apps
aren't, themselves, malware. Then... what's the point? Why would they exist as
apps (and why would people download them) if they do nothing and gain nothing
for the author or the user?

~~~
scarface74
They gain money for the author.

~~~
uponcoffee
This ^

If it's free it's probably making money from ads, or making money from your
information. Or you paid for it and it's doing the above anyways. AV style
apps can ask for a lot of permissions without raising as much as an eyebrow
because they need them to 'protect' users, which puts them in a nice spot to
data mine.

------
Avamander
It has been like that for at least five years, it's nice that there's finally
an article about it.

------
motohagiography
The article was like the security equivalent to an anti-vaxer blog post.

First, AV bake-offs are a racket that gets security companies to hand over
their malware samples or pay to be "excluded," from the bake off. So anyone
with advantageous data either gives that up, or pays to be left out of the
test. There is nothing honest about their benchmarks or methods. Bake-off
companies are scumbags, and this ZDNet reporter got taken.

Second: Hard problem with malware detection on mobile is that there is no
privileged role to do analysis from. It's not like you can root the phone and
do syscall interception. The best they can do is analysis of apps you can
find, and to do automated software analysis at scale is some very interesting
work.

However, If you are the target of a custom APT, there isn't a lot anyone can
do.

There are a few startups who are doing automated dynamic analysis and working
on symbolic execution problems to further this. That the industry has not
solved it yet does not make them fraudulent.

Third, Android malware includes:

\- fake repackaged apps with adware or spyware. \- spyware installed by 3rd
party \- malware that roots the device \- whatever all those dodgy 2FA and
password manager apps are. \- apps with libraries with known vulnerabilities
(think image processing, overflows, etc) \- apps that hoover up your data
(txts, contacts, browsing, etc) and send it to authors.

The security model of mobile devices (iOS and Android) enforce hard limits on
what is possible in terms of security value add by a non-OEM vendor. OEMs are
worse than useless, and so app vendors have moved into the game. The threat
model apps mitigate is patchy, but it suffices for most consumer and
enterprise use cases. However, if you antagonize a government and get targeted
custom malware, it would seem naive to think an app vendor is going to protect
you.

While I have no remaining affection for any vendors in that space, to call
them fraudulent is sensational, if not obnoxious.

~~~
ccnafr
No offense, but nothing you have theoreticized here can be proven to be true.

It seems to me that you've created your own conspiracy theory about the AV
industry.

I don't see how this study can be disproven. "Security apps" detected
themselves as malware. I'd say calling them "fraudulent" is quite accurate.

Just because you wrote along comment that doesn't make it right or accurate.
You're way off base.

------
drewmol
When 90%+ of all android apps are spyware, google, OEM and carrier apps being
the worst offenders it becomes ironic for one spyware beneficiary to call
another fraudulent.

------
throwaway24312
One of the problems that we have encountered is that even though an Android AV
might be less than useful, durring the sales process enterprise customers are
requiring a solution for each type of endpoint they have. So to play the game,
you need to offer a solution, even if it is not a solution.

------
jasonvorhe
Chris DiBona from Google already said this in 2011:
[https://www.cnet.com/news/googler-android-antivirus-
software...](https://www.cnet.com/news/googler-android-antivirus-software-is-
scareware-from-charlatans/)

------
gzeus
People used to install these memory cleaners and anti virus apps and I used to
tell them, they don’t do anything. And they used to say, if they do then
you’re screwed. The logic is just wierd for me. Idk what to argue then.

------
anonytrary
Antivirus frauds are like insecticides: I'll kill all the bugs ruining your
crops, but I'll ruin your crops too.

------
meruru
The only virus protection you'll ever need on smartphones is to know to
install only programs from F-Droid: [https://f-droid.org](https://f-droid.org)

~~~
oifdf
F-Droid has no viruses because nobody uses it so nobody bothers to upload any
malware to it.

~~~
ElementW
F-Droid is very similar in design to Linux/BSD/... package repositories as in
only a few select people can push binaries to the repos (of course you can
extend that list if you add other repos to your list). Considering the
official F-Droid repo only ever accepts free software that can be built
(manually or automatically) by the maintainers, the risk of spreading stuff
that can be called "viruses" or "malware" is somewhat slim; either the
original app code repo or a maintainer has to go wrong. However this is
significantly less likely than on a store virtually anybody can upload to.
Your comment just comes out as dismissive based on your perceived
insignificance of the project, but that's just twisting reality: F-Droid has
less malware, _by design_.

