Hacker News new | past | comments | ask | show | jobs | submit login
Two-thirds of all Android antivirus apps are frauds (zdnet.com)
123 points by mpweiher 36 days ago | hide | past | web | favorite | 35 comments

Whenever i see anything about android anti-virus apps I've always been confused about what it is they actually look for. Every app on an android phone has fine grained permission management and for anything you give specific access to system functions(like drawing over other apps) to, you have to go to a specific extra permission enabling screen full of warnings to enable it.

I understand there's apps with malicious things buried in them, but how can an antivirus determine between something like that and something benign?

As far as i can tell, traditional viruses, the way the work on windows and dos systems, just wouldn't work on android.

I'm not sure if i'm just missing something, but this article kind of confirms my suspicions. It just seems like you'd have to be really fucking around, or just completely and utterly oblivious to some very obvious red flags, to install a straight up virus on android.

> As far as i can tell, traditional viruses, the way the work on windows and dos systems, just wouldn't work on android.

You might be interested in reading Google's guidelines on what they consider to be a "potentially harmful application" (PHA) [0].

> [..] anything you give specific access to system functions(like drawing over other apps) to, you have to go to a specific extra permission enabling screen full of warnings to enable it.

Oh despite the on-device on-use/first-use consent, the android app ecosystem was a big mess before Google started auto-detecting rouge apps and booting them out of play store.

Even today, despite GooglePlayProtect, I occasionally find my friends complaining about apps hijacking their phones to show ads and sometimes be very hard to dismiss, and they do not absolutely know what to do (disable/uninstall no longer used apps, revoke permissions, disable notifications). They'd install anti-viruses in hope that it would help fix that.

> how can an antivirus determine between something like that and something benign

Not sure what anti-viruses do, but some examples from Google's 2018 report on how they fished out PHAs using static/dynamic analysis of apks and machine learning [1]:

1. Re-packaged game apps with data-hoarding/adware.

2. Click-fraud apps (see above).

3. Suspension of key device functionality (on a rooted device, esp).

> It just seems like you'd have to be really fucking around, [..] to install a straight up virus on android.

You might be right: A good percentage of 2bn active android users might be doing just that.


[0] https://source.android.com/security/reports/Google_Android_S...

[1] https://security.googleblog.com/2019/01/pha-family-highlight...

But do apps from the play store have the system permissions to carry out those operations on other apps?

I don't think they do.

To be specific, we're not talking about classical viruses here.

This is a different kind of malware.

Fortunately, you're probably not going to get 'infected' merely by being on the same network as someone with malware.

I think perhaps Google should take some API steps to help fix the problem. There are just some kinds of things that nary any app should be able to do anyhow.

I could imagine either just a vanilla app blacklist that's regularly updated, or maybe a scanner that looks for known third party libraries commonly used for evil purposes?

As if most people pay attention to warnings. Android warnings are about as effective as Windows UAC.

Every antivirus app is a fraud. I stopped using them about 10 years now, I only use firewall and haven't got any problems. There's also some great firewall apps for Android that have logging and stuff, pretty useful.

All AV ever did for me was find cracks (not virus infected cracks but simply cracks) or android rooting tools. I, too, stopped using AV around 10 years ago.

AV has its uses, but imo only for tech illiterate people who tend to download random stuff and execute it without thinking about it.

Are you aware Google acquired Virustotal in 2012?

I know people @ Google who worked on related technology, it's not all fraud and they took their jobs rather seriously.

But there is definitely some fraud going on. Virus scanners are necessarily positioned and privileged perfectly for exploitation. You definitely have to be careful with what you employ in this capacity.

That statement is not true, e.g. Virustotal Mobile isn't fraud.

Why is that from a 3rd party developer? The official app doesn't seem to exist any more: The link from https://www.virustotal.com/en/documentation/mobile-applicati... is dead.

Edit: Found this one: https://support.virustotal.com/hc/en-us/articles/11500214654...

I have never owned an android phone and honestly did not know that there were antivirus apps for the phone. That makes me glad that I never owned one. Are viruses much of a concern for android phones?

This is really not Android-specific: https://top8antivirus.com/ios-antivirus-comparison/

But it's mostly a scam. Unless you really go for dodgy apps, it's all fine.

No, not really. The biggest concern is what everyone ignores. Apps that provide some kind of barely useful feature, but phones home and provides information about you, like phone number IMEI, your location etc.

And 100% of iOS ones are. Why are they even allowed in the App Store?

Perhaps app stores exist less to improve the lives of consumers and more for OS companies to get a percentage of all software sales on their platform.

That doesn't hold as much water when you take into account how much curation goes on with the app store.

This comment is breaking my brain.

If 100% of iOS antivirus apps are fraud, that implies they do nothing (probably because of permissions) and/or there are no viruses on iOS to even find, no? If that's the case, that'd further imply those antivirus apps aren't, themselves, malware. Then... what's the point? Why would they exist as apps (and why would people download them) if they do nothing and gain nothing for the author or the user?

> why would people download them

Because they think they need antivirus, they go searching on the App Store, and because Apple has totally failed in curation in this regard, they find them.

They subsequently don't get a virus, leave a five star review, and recommend it to their friends. See the Simpsons episode about the "anti-tiger rock".

They gain money for the author.

This ^

If it's free it's probably making money from ads, or making money from your information. Or you paid for it and it's doing the above anyways. AV style apps can ask for a lot of permissions without raising as much as an eyebrow because they need them to 'protect' users, which puts them in a nice spot to data mine.

I'm not aware which apps you refer to, or even if they're frauds, but there is a potential use case: scanning documents for e.g. Windows viruses before sending them to other persons.

Memory cleaner 2000!

It has been like that for at least five years, it's nice that there's finally an article about it.

The article was like the security equivalent to an anti-vaxer blog post.

First, AV bake-offs are a racket that gets security companies to hand over their malware samples or pay to be "excluded," from the bake off. So anyone with advantageous data either gives that up, or pays to be left out of the test. There is nothing honest about their benchmarks or methods. Bake-off companies are scumbags, and this ZDNet reporter got taken.

Second: Hard problem with malware detection on mobile is that there is no privileged role to do analysis from. It's not like you can root the phone and do syscall interception. The best they can do is analysis of apps you can find, and to do automated software analysis at scale is some very interesting work.

However, If you are the target of a custom APT, there isn't a lot anyone can do.

There are a few startups who are doing automated dynamic analysis and working on symbolic execution problems to further this. That the industry has not solved it yet does not make them fraudulent.

Third, Android malware includes:

- fake repackaged apps with adware or spyware. - spyware installed by 3rd party - malware that roots the device - whatever all those dodgy 2FA and password manager apps are. - apps with libraries with known vulnerabilities (think image processing, overflows, etc) - apps that hoover up your data (txts, contacts, browsing, etc) and send it to authors.

The security model of mobile devices (iOS and Android) enforce hard limits on what is possible in terms of security value add by a non-OEM vendor. OEMs are worse than useless, and so app vendors have moved into the game. The threat model apps mitigate is patchy, but it suffices for most consumer and enterprise use cases. However, if you antagonize a government and get targeted custom malware, it would seem naive to think an app vendor is going to protect you.

While I have no remaining affection for any vendors in that space, to call them fraudulent is sensational, if not obnoxious.

No offense, but nothing you have theoreticized here can be proven to be true.

It seems to me that you've created your own conspiracy theory about the AV industry.

I don't see how this study can be disproven. "Security apps" detected themselves as malware. I'd say calling them "fraudulent" is quite accurate.

Just because you wrote along comment that doesn't make it right or accurate. You're way off base.

> few startups who are doing automated dynamic analysis and working on symbolic execution

Can u mention some of the new technical directions? I used to work in security, did windows AV, kernel layer, code analysis, etc but i have been out of this game for a couple of years

Today I am more interested in compiler techniques and code synthesis.

When 90%+ of all android apps are spyware, google, OEM and carrier apps being the worst offenders it becomes ironic for one spyware beneficiary to call another fraudulent.

One of the problems that we have encountered is that even though an Android AV might be less than useful, durring the sales process enterprise customers are requiring a solution for each type of endpoint they have. So to play the game, you need to offer a solution, even if it is not a solution.

Chris DiBona from Google already said this in 2011: https://www.cnet.com/news/googler-android-antivirus-software...

People used to install these memory cleaners and anti virus apps and I used to tell them, they don’t do anything. And they used to say, if they do then you’re screwed. The logic is just wierd for me. Idk what to argue then.

Antivirus frauds are like insecticides: I'll kill all the bugs ruining your crops, but I'll ruin your crops too.

The only virus protection you'll ever need on smartphones is to know to install only programs from F-Droid: https://f-droid.org

F-Droid has no viruses because nobody uses it so nobody bothers to upload any malware to it.

F-Droid is very similar in design to Linux/BSD/... package repositories as in only a few select people can push binaries to the repos (of course you can extend that list if you add other repos to your list). Considering the official F-Droid repo only ever accepts free software that can be built (manually or automatically) by the maintainers, the risk of spreading stuff that can be called "viruses" or "malware" is somewhat slim; either the original app code repo or a maintainer has to go wrong. However this is significantly less likely than on a store virtually anybody can upload to. Your comment just comes out as dismissive based on your perceived insignificance of the project, but that's just twisting reality: F-Droid has less malware, by design.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact