How much do you really know about — and how much should you really trust — the apps that you are downloading and installing on your phone?
Last week I ran across an on-line article with the unnerving headline “Two-thirds of all Android antivirus apps are frauds.” The article reports on testing that was performed by an Austrian group called AV-Comparatives that specializes in testing antivirus products. The group looked at 250 Android antivirus apps that were available on the Google Play Store. It installed the apps on phones, then tried to download malicious software that was in use last year and therefore should be detected by any decent, functioning antivirus app.
The testing found that more than half of the apps didn’t work as advertised. Many didn’t “scan” and analyze the code of the downloaded software at all, and instead just checked the title of the software against “whitelists” and “blacklists.” As a result, some antivirus apps found themselves to be malware because the developers forgot to include them on the “whitelist” of approved software. In addition, some apps were easily fooled because package names that included references to reputable software creators, like “com.adobe,” could bypass the software and permit malware to be installed without detection.
In all, the Austrian group found that 170 of the 250 antivirus apps failed the basic detection tests and were either ineffective or unsafe. AV-Comparatives concluded that many of the apps were developed by amateurs or were basically being used as platforms for ads and were not legitimate antivirus protection.
I use an Apple iPhone, so I’m not directly affected by issues with Android antivirus apps, but the testing of the antivirus apps raises a more basic question — how are apps being screened, and how much of what is made available to the general public, on either a free or paid basis, is valid and works as advertised? And, even worse, is anyone trustworthy actually looking at the apps to see whether they are vehicles for getting access to personal phones for fraudulent purposes? How does anyone know that the app they are downloading isn’t a technological Trojan horse?