ESET’s analysis of shady apps pretending to be security – or “antivirus” – apps that were discovered on Google Play left some questions unanswered. Lukáš Štefanko, who did the research, speaks about its wider consequences.

Shady apps

In your article, you describe the apps as shady, disguised as security software… we are used to calling such apps 'fake'. What prompted the change  of language when describing the apps in question?

First, none of those apps deserves to be called a security app. Their functionality is close to zero – and, considering the false positives these apps generate and also the fact that they create a false sense of security in the victims, their net security effect is negative.

However, they do contain features that can could be labeled a security functionality – if they were not so primitive, or so poorly implemented, or both. In my opinion, these features were not designed with security in mind. Clearly, the authors’ goal is to prevent us from calling their apps fake. And, more importantly, to avoid having these apps swiftly removed from Google Play.

Their efforts have paid off only partially. The Google Play security team was not as fast as usual at removing these apps from the store – however, none of those apps are available for download any longer.

Maybe there is something the Google security people don’t consider that primitive or that poorly implemented…

Well… I researched the apps quite thoroughly and I’m pretty sure that no reasonable security expert could find them useful in any way.

In my opinion, it’s rather about capacity and priorities on the Google side. On one hand, these shady apps clearly deceive users – their names and descriptions promise security, but all they do is just deliver ads. On the other hand, sometimes even dangerous apps manage to get past Googles' defenses and are posted on Google Play before they are removed after their true nature is discovered.

As for the security capabilities, these shady apps primarily simulate some whitelisting and blacklisting. While there is nothing wrong with these techniques in principle, their effect in this case is zero at best. Those few package names in the lists get blacklisted forever and, more importantly, no new items can be added. The apps don’t have any updating mechanism, meaning that they cannot detect new threats.

Can you imagine a functioning security solution that is completely static, without any access to latest knowledge about threats?

Quite frankly, this is exactly what next generation security vendors claim as their biggest advantage over established security vendors…

Look, those exaggerated marketing claims by post-truth vendors, as we call them, is another topic completely. And by the way, even they have to update their models from time to time…

What’s important with the shady apps we are discussing here is that they rely on primitive lists of what’s good and what’s bad. And these contain dozens of items compared to hundreds or even thousands as is common with products from true security vendors – products with real scanning engines. And they can’t be updated, whereas true security vendors update their databases several times a day – not to mention the cloud-based security that works in near-real time, as offered by most true-to-the-name security vendors.

Let me summarize it. In truth, these shady apps have no real benefit for the users of Android smartphones and tablets, and should be avoided.

Instead, use a reputable mobile security solution – ideally, choose a solution that performs well in independent tests. For example, AV-Comparatives, which is a respectable testing organization, has recently published their report on mobile security. In my opinion, the report is worth reading.