android vulnerability
android vulnerability
A fake anti-virus app has re-emerged on Android devices, according to security researchers.

According to a blog post by Nathan Collier, senior malware intelligence analyst at Malwarebytes, the app, called Andriod's Antivirus, appeared. He said it was “clearly a repackaged variant of Armor for Android”.

Collier said that when Armor of Android first came out in 2013, he discovered it while playing a free game downloaded from Google Play. The app was free but had ads, one of which claimed the smartphone was infected with a virus.

He decided to investigate it and clicked Download & Scan FREE Now, and it started to download a file named Scan-For-Viruses-Now.apk. 

“After the download, I landed on a known Armor for Android web page that instructs you to allow unknown sources and again to download and install an app,” he said.

He added that it was very odd for a legitimate AV company to instruct mobile users to download directly from their website rather than pointing them to Google Play.

This particular app insisted on a payment of US$ 1.99 (£1.47) to scan the device and this was a per weekly payment. 

“Fake AVs like the one described above have been around for a long time and come in many different forms. Some can be extremely dangerous. For legitimate antivirus/anti-malware programs to do their jobs, special permissions must be given,” he said.

He said that legitimate antivirus apps use device administration as required to remediate ransomware, but because of the elevated permissions needed, consumers need to take extra caution when choosing antivirus apps on smart devices. “Give those same rights to a malicious Fake AV app, and you could be in trouble.”

“Unfortunately, it's often hard to tell what is a Fake AV versus a legitimate antivirus/anti-malware mobile app—especially when Fake AVs creep into Google Play and take time to create a convincing website,” he said.

He added that consumers should do their research to pick apps from respectable software companies.

Santiago Torres, senior mobility specialist at Wandera, told SC Media UK that the extensive scanning permissions that AV apps are granted, make them an appealing target for hackers. 

“Once installed onto the device, the software acts as the perfect middle agent - as the attacker can compromise the software - while letting it seamlessly run in the background. It's a double whammy. The user feels safe in knowing they've taken the appropriate measures to protect their device, and the hacker is able to conceal their work within a seemingly reputable source,” he said.

Winston Bond, technical director EMEA at Arxan Technologies, told SC Media UK that organisations must make that their employees have access to legitimate AV software, and all the other apps they need, direct from the company. “That can easily be done, even in a real BYOD environment, by using a mobile application management platform,” he said.

Valentin Konev, security analyst at RiskIQ, told SC Media UK that malware can be persistent, especially when working with escalated privileges. 

“However, this was not reported to be the case in this situation. As with any other application, it can be uninstalled. As a best practice, users can install free trials of commercial variants of reputable AV Vendors and run scans on their devices. This application already has signatures and hence it will be flagged by reputable vendors,” he said.

Paul Ducklin, senior technologist at Sophos, told SC Media UK that Google Play is far from perfect, and crooks are prepared to put the effort into sneaking their 'appstortion' products past Google's safety check. 

“Using a third-party anti-virus or mobile control solution can help you spot and remove rogue apps wherever they come from, even if they have Google's implicit approval. Nevertheless, I'd recommend sticking to Google Play and not opening up your phone to any old online marketplace, given that some of them little more than a free-for-all,” he said.