10 antivirus apps with total of 1.9 billion downloads revealed to be riddled with dangerous access permissions, malware and spyware

28 October 2019: Privacy and security research company VPNpro has analysed the top 30 free antivirus apps available on Google Play and found ten of these apps to have a host of dangerous access permissions or known malware. The apps, with a total of around 1.9 billion downloads worldwide, are believed to use these permissions to collect and sell on personal data or spread malware to force the user to pay for it to be uninstalled.

An additional five apps, originally included in the research and found to have the same issues, have recently been removed from Play. The downloads for these apps totalled more than 500 million.

When a person installs one of these free apps they unwittingly grant it access to use part of their phone’s technology. These ‘dangerous access permissions’ range from secretly recording audio, to making phone calls and recording location data. In total, VPNpro discovered eleven types of dangerous permission, with one app ‘Security Master’ having a total of ten dangerous permissions.

It is believed the majority of these permissions are used to harvest and sell user data. The most profitable is location data, which was requested by 6 out of the 10 antivirus apps. Mobile apps can send user location data every 2 seconds, and in some cases, more than 14,000 times per day to various companies. Paris-based data broker Teemo offers $4 per thousand users per month. If only 1% of Security Master’s 500 million users were active, it would earn $20,000 every month.

Other permissions, such as surreptitiously making phone calls, are known to be involved in scams.

List of top 15 free antivirus apps with number of dangerous permission requests in brackets:

  • Security Master – Antivirus, VPN, AppLock, Booster (10) – 500 million installs
  • Virus Cleaner, Antivirus, Cleaner (MAX Security) (9) (removed recently) – 50 million installs
  • Antivirus Free 2019 – Scan & Remove Virus, Cleaner (9) (removed recently) – 10 million installs
  • 360 Security – Free Antivirus, Booster, Cleaner (9) – 100 million installs
  • Virus Cleaner 2019 – Antivirus, Cleaner & Booster (9) – 50 million installs
  • Super Phone Cleaner: Virus Cleaner, Phone Cleaner (9) (removed recently) – 50 million installs
  • 360 Security Lite – Booster, Cleaner, AppLock (7) 50 million installs
  • Super Cleaner – Antivirus, Booster, Phone Cleaner (7) 100 million installs
  • Clean Master – Antivirus, Applock & Cleaner (7) – 1 billion installs
  • Super Security – Antivirus, Booster & AppLock (6) (removed recently) – 10 million installs
  • Antivirus Free – Virus Cleaner (4) (removed recently) – 50 million installs
  • Antivirus Free 2019 – Virus Cleaner (3) – 1 million installs
  • Antivirus Android (2) – 1 million installs
  • Antivirus & Virus Cleaner (Applock, Clean, Boost) (2) – 10 million installs
  • Antivirus Mobile – Cleaner, Phone Virus Scanner (1)

In addition to data harvesting, two of the apps (Cheetah Mobile’s Clean Master and Hi Security’s Virus Cleaner) were found to install spyware and malware. In Virus Cleaner’s case, permission to upload files to your phone could enable it to add more malware to your device that you’ll have to pay to remove. A third app, since removed from Play (Virus Cleaner, Antivirus, Cleaner (MAX Security), was found to have rogueware – essentially tricking users into thinking they had a virus so they would pay to remove it.

VPNpro has also noted that six of these apps are based in China where data protection laws are very lax and government intervention in tech companies is commonplace.

Jan Youngren from VPNpro said, “These antivirus apps are requesting a large amount of dangerous permissions which is very suspicious – there is simply no legitimate reason for them to do so. Consumers must understand what these permissions actually do and exercise a lot of caution in granting them.

“In general, when selecting an antivirus app for your phone, consider these questions first; do I really need an antivirus app? For the most part, the answer is no. Is this app from a reputable developer? If it isn’t, you might want to choose a well-known brand. Does this app really need these dangerous permissions? For the most part, by denying certain permissions, the entire app may not work. At that point, consider a different antivirus app.”

The only dangerous permission every one of these apps asks for that VPNpro advises is a low risk and potentially legitimate is the ability to write or update your external storage.**

At the end of 2017, India’s intelligence agencies warned the country’s army and paramilitary against using 42 mobile applications identified as spyware or malware. Included in the ban are  Cheetah Mobile’s Clean Master – Antivirus, Applock & Cleaner, with a total of 1 billion installs on Google Play, and developer Hi Security’s Virus Cleaner 2019 – Antivirus, Cleaner & Booster, which has more than 50 million installs. It is owned by Shenzhen HAWK, which in turn is owned by TCL Corporation.

Notes to Editors:

Dangerous permission requests types:

RECORD_AUDIO: 1/15 apps requested

RISK: HIGH

The antivirus app can record audio, and allows them use of the device’s microphone. This presents a high risk to your privacy, as untrustworthy apps can secretly record audio, and potentially send these files to servers in various locations.

CALL_PHONE: 6/15 apps requested

RISK: HIGH

Allows an app to make a phone call directly from the app, without using the dialer interface or requiring the user to confirm the call. Apps have been caught making surreptitious phone calls as part of phone scams.

CAMERA: 11/15 apps requested

RISK: HIGH

Allows access to use your device’s camera. Apps with this permission can turn on the camera, record video or take pictures, and possibly send these files to servers in various locations — all without the user’s knowledge.

ACCESS_FINE_LOCATION: 9/15 apps requested

RISK: HIGH

Allows the app to determine your precise location, by using GPS, mobile cell data, wifi, or all three in combination. This is a high risk to your privacy, since marketers or other organizations can correctly identify your location to within a few meters, with some even being able to identify the floor you’re on.

READ_CONTACTS: 7/15 apps requested

RISK: MEDIUM

Allows the antivirus app to look through your contacts data. Apps with this permission can view and record your contact data, and possibly send that information to servers in various locations.

WRITE_CONTACTS: 2/15 apps requested

RISK: MEDIUM

Allows the app to make changes to your contacts data. Apps with this permission can add names to  your contacts list, or make changes to your existing contacts. For example, they can switch out the phone number or email address of a trusted contact with a fake number or email address.

READ_EXTERNAL_STORAGE: 14/15 apps requested

RISK: MEDIUM

Allows access to read or view files on your external storage. Apps with this permission can view and record your file data, third-party app logs or system logs, and possibly send that information to servers in various locations.

READ_PHONE_STATE: 12/15 apps requested

RISK: MEDIUM

Allows read-only access to your phone state to see your phone number, status of ongoing calls, and cellular network information. This information could be recorded and possibly sent to servers in various locations.

GET_ACCOUNTS: 10/15 apps requested

RISK: MEDIUM

Allows access to the list of accounts in the Accounts Service. Apps will be able to see all accounts connected to a user’s device, including their account username and account features.

ACCESS_COARSE_LOCATION: 9/15 apps requested

RISK: MEDIUM

Allows the antivirus app to determine the device’s location by using mobile cell data, wifi, or both in combination. Often used in combination with ACCESS_FINE_LOCATION, this presents a privacy risk to users who may want to keep their everyday movements private.

WRITE_EXTERNAL_STORAGE: 15/15 apps requested

RISK: LOW

Allows the antivirus app to write or update your external storage. Out of all the dangerous permissions, this one is the most logical for an antivirus app to have. However, it could also allow nefarious apps to upload malicious files to a user’s device.

About this research

In order to carry out this analysis, these apps were downloaded directly from the Google Play store. The APK files were then extracted from those apps, and the permissions were taken from those APKs.

App groupings for “dangerous permissions” were obtained from the Android developer manifest.

 

VPNpro analyzed the permissions (and levels of those permissions) requested by the 15 free antivirus apps found in the top 30 results for “antivirus”. Note: the initial count of free antivirus apps was 16, but one antivirus app was removed from the Play store before analysis, and a further four removed recently.

When looking at the total amount of permissions requested by these apps, we identified certain permissions as dangerous based on the Android developer’s manifest.

About VPNpro

VPNpro is a research company dedicated to providing impartial information and advice to consumers and businesses on privacy, anonymity and security as well as compiling research on major security and privacy trends.