Thanks, but No Thanks!

RiskIQ identifies hundreds of malicious ‘antivirus’ apps, capitalizing on ransomware fears and putting users at risk

Malware WannaCry

Photo Credit: Flickr: Blogtrepreneur

Author

Forrest Gueterman is a Security Analyst for RiskIQ's Customer Success department.

With the world connecting more and more through mobile devices, it is becoming increasingly important to make sure those devices are secured. While many security companies are taking on the challenge of keeping data safe in a mobile world, there are plenty of predators out there who see this as another avenue to exploit.

Case in point: The rise of fake WannaCry “protectors” apps that use the fear and hysteria around the self-propagating ransomware to drive downloads, even though mobile systems are safe from its impact. These apps don’t do anything helpful and the possibility that some threat actors will build fake WannaCry apps to propagate malware remains.

Leveraging the threat of malware infections to drive downloads of potentially unwanted programs, worthless mobile apps, and even malware, isn’t limited to the WannaCry theme. Hundreds of examples of apps that claimed to help defend mobile phones were found, instead, to be preying on unsuspecting users by pushing adware, trojans, and other malware.

Using a title search for “Antivirus” resulted in 6,295 total apps, past and present, claiming to either be an antivirus solution, review antivirus solutions or be associated with antivirus software in some way. More than 700 of these apps triggered blacklist detections from the aggregated antivirus vendors in VirusTotal. Trimming the dataset to compare apps only coming from the Google Play store showed 655 results. Of those, 131 had triggered blacklist detections.

We then refined the data to only apps still labeled as being active. More than 4,290 antivirus apps were still being active, with 525 of those having blacklist hits. The Google Play store has 508, with 55 blacklisted. Comparing the numbers, it shows that historically, the Google Play store has had a greater percentage of blacklisted antivirus apps, at 20% versus the overall 11%. However, the current amount of blacklisted antivirus apps in the Google Play store is at 10.8%, versus the overall of 12.2%.

Of course, not all of these blacklist hits from VirusTotal mean that the app is malicious, and many malicious antivirus apps are not blacklisted at all. After all, even on VirusTotal’s website, they state “it may be used as a means to detect false positives.”

When it comes to the safety of your mobile devices, it is always best to be diligent. Be careful about inviting the bad guys in and giving them access to everything when choosing an antivirus app.

General tips on what to look out for also apply to mobile antivirus solutions:

  • Try to only download from official stores. Google, for example, seems to be diligently removing malicious apps at a greater rate than third-party stores.
  • Review the permissions requested, make sure the developer email address is not a free email service like Gmail or Hotmail.
  • Look over the app description to see if it is riddled with grammatical errors.
  • Finally, when possible, check the app against known blacklists; VirusTotal provides an excellent starting point.

 

IIoT company Samsara raises $40M in Series C round led by General Catalyst
US to lead in AI-driven business revenue growth by 2021: Report