What do you do when your defences are the ones spying on you?
What do you do when your defences are the ones spying on you?

A free mobile anti-virus app developed by the DU group, a developer of Android apps, has been found to collect user data without the device owners' consent. 

According to Check Point mobile threat researchers reporting in an 18 September blog, “...when the app runs for the first time, the DU Antivirus Security app collects information from the device, such as unique identifiers, contact list, call logs, and potentially the location of the device. This information is then encrypted and sent to a remote server. The customer information is later used by another app offered by the DU group, called “Caller ID & Call Block – DU Caller,” which provides users with information about incoming phone calls.

The app, DU Antivirus Security, is distributed over Google Play, Google's official app store, and had been downloaded between 10 and 50 million times, according to Google Play data.

The researchers point out that users would have trusted DU Antivirus Security to protect private information,  when in fact it did the exact opposite. “It collected the personal information of its users without permission and used that private information for commercial purposes. Information about your personal calls, who you're speaking with and for how long, was logged and later used.

Check Point says it reported the illegal use of the users' private information to Google on 21 August, 2017, and the app was removed from Google Play on 24August, 2017. A new version that doesn't include the harmful code was uploaded to the Play store on August 28, 2017. Version number 3.1.5 of DU Antivirus Security is the latest version number found to include this privacy-leaking code, but older versions might still include it.

Check Point researchers detected the same code in 30 other apps  with the code affecting between 24 and 89 million users; 12 of the other apps were on Google Play and subsequently removed.

Talking to SC Media UK, Tony Anscombe, ESET's industry ambassador observed, “If it's collecting data and passing to another app, it sounds non-malicious but it is a disclosure issue.  There's a hundred different anti-virus products on the market, 10 companies dominate, and I am sure there are some products in there developed with great intentions but sometimes people don't understand what disclosures they should make and what disclosures they shouldn't make.”

“You have to have a trust relationship as an anti-malware provider because the access you have to someone's device is all seeing, because it needs to be, so the disclosures have to be correct, and your privacy policy has to be written in a way that someone can understand as well.  There needs to be language in there that my mum can understand.

“These stories affect the entire industry because if people loose trust with the security industry it's bad for all of us. Also – being in the Google Play store, it undermines that.  It also emphasises the need for diversity of supply. If you are in a monoculture, then if that one provider misses something it can get mass infection. With a diverse security industry with lots of different players looking at lots of different things, then you get lower infection rates, and fewer issues, because people look at things from different places.”