Android Test 2018 – 200+ Apps
Release date | 2018-03-29 |
Revision date | 2018-03-29 |
Test Period | January 2018 |
Number of Testcases | 2000 malware, 50 clean |
Online with cloud connectivity | |
Update allowed | |
False Alarm Test included | |
Platform/OS | Android Mobile |
Introduction
AV-Comparatives’ 2017 test of Android antivirus products was inspired by the discovery of an Android app called Virus Shield, which claimed to scan mobile devices for malware, but in fact did nothing of the sort. In reality, running the app simply showed a progress bar, supposed to represent scan progress, followed by an announcement at the end of the “scan” that the device was free of malicious apps. Worryingly, the app had been available on the Google Play Store, and thousands of users had paid money for it (although this was ultimately refunded to them by Google).
Unfortunately, more dubious antivirus apps – ones which appear not to offer any protection at all – have appeared since then. In January 2018, Sophos’ NakedSecurity blog reported that a new dubious antivirus app for Android was available from the Google Play Store. The article claimed that the app in question, Super Antivirus 2018, was equally ineffective at blocking malware as was Virus Shield, but was more sophisticated in its report of apps that had been “scanned”.
It is clear that dubious antivirus apps for Android have not gone away, and users should be on their guard against such tricks. Last year’s test demonstrated that there are also some Android security products that are not deliberately deceptive, but are ineffective at protecting the device against malware. Of the 100 products tested last year, roughly a quarter detected 100% of the malicious apps, but a similar number identified less than 30% of the samples.
To help owners of Android devices to distinguish between genuine and effective Android antivirus apps on the one hand, and dubious/ineffective ones on the other, AV-Comparatives have again tested the effectiveness of antimalware programs for Android, in the 2018 Android Test.
Tested Products
For this test, we searched for and downloaded over 200 antimalware security apps by various different developers from the Google Play Store.
The following 84 apps detected over 30% of malicious apps, and had zero false alarms:
7Labs Antivirus & Security | Lookout Antivirus & Security |
AegisLab Antivirus Premium | MalwareBytes Anti-Malware |
AhnLab V3 Mobile Security | Max Mobi Secure Total Security |
Ali MoneyShield | McAfee Security & Antivirus |
Antiy AVL | MobiDev Studio Antivirus |
Ariasecure Bornaria security | MobileAppDev Virus Cleaner |
Avast Mobile Security & Antivirus | NEWAPPSDEV SmadAV |
AVG Antivirus Free | newborntown Solo Security |
AVIRA Antivirus Security | NightCorp Super Antivirus |
Baidu DU Antivirus Mobile Security & AppLock | NortonMobile Norton Antivirus & Security |
BaiSi Mobile Antivirus | NQ Mobile Security & Antivirus |
BangStudio Virus Cleaner | One App Super Clean Speed Security MAX |
Bastiv Security Antivirus | Panda Free Antivirus |
Best Tools Pro Cleaner | PCVARK Falcon Mobi Cleaner |
Bitdefender Mobile Security & Antivirus | Photo Editor Creative Cleaner |
BullGuard Mobile Security and Antivirus | PICOO Design Power Antivirus |
Check Point ZoneAlarm Mobile Security | Power Tools Team Mobile Security |
Cheetah Mobile CM Security CleanMaster | PSafe Antivirus |
Chili Security Android Security | Qihoo 360 Mobile Security |
Comodo Mobile Security | Quick Heal Antivirus & Mobile Security |
Defenx Security Suite | REVE Antivirus Mobile Security |
DevStudio99 Antivirus | Rising mobile security |
Dr.Web Security Space | Security Apps Studio Virus Cleaner |
Emsisoft Mobile Security | Security Cleaner Team ZoneX Security |
eScan Mobile Security | Security Elite Antivirus |
ESET Mobile Security & Antivirus | Security Mobile Max Clean |
ESTsoft ALYac Android | Security Safe Protect Team Super Virus Cleaner |
Fast Track Super Security Free AntiVirus | Sophos Free Antivirus and Security |
F-Secure Mobile Security | Tencent WeSecure Antivirus |
G DATA Internet Security | TG Soft VirIT Mobile Security |
GearMedia G-Antivirus Security Pro | ThreatTrack VIPRE Mobile Security |
GizmoLife GizmoSafe Antivirus | ToolsDevelope Antivirus |
Google Play Protect | Trend Micro Mobile Security & Antivirus |
Hi Dev Team Security Antivirus & Privacy | TrustGo Antivirus & Mobile Security |
High Security Team Antivirus | Trustlook Premium Mobile Antivirus |
Himlamo Super Antivirus | Vitekco K Antivirus |
Hyper Speed Antivirus | Webroot Security Premier |
Ikarus mobile.security | Wecool Epic Secuity |
IntelliAV Anti-Virus | WhiteArmor Security Pro |
K7 Mobile Security | Z Lock Screen Team Antivirus |
Kaspersky Antivirus & Security | Zemana Mobile Antivirus |
LBE Security Master | ZONER Mobile Security |
The antimalware apps from the following 79 vendors detected less than 30% of the Android malware samples, or had a very high false alarm rate on popular clean files from the Google Play Store: AndroHelm, ANTI VIRUS Security, ARSdev, AVC Security Joint Stock Company, AZ Super Tools, Baboon Antivirus, Best Apps Collection, BKAV, Booster Antivirus, Brainiacs Apps, Bsafe Labs, BSM SECURITY, CA Uber Apps, chkitham, CHOMAR, devapp81, Ellena Rehman, Fast Tool Mobile Apps, fluer-apps.com, Gamma+ Labs, Glagah Studio, GO Security, Gotechgo, GPaddy, AV Antivirus Security Ltd, Green Booster, H2, Hawk App, Hornet Mobile Security, Iobit, ITIanz iT Solution, Itus Mobile Security, Kara Inc., K-TEC Inc., lal bazai, LINE, looptop, Master VPN, Max Antivirus Lab, Max Security, Mobi Fox, MobiCluster, MSYSOFT APPS, Muel Dev., My Android Antivirus, NCN-NetConsulting Ges.m.b.H., NetLink, NOAH Security, Nozzle Ltd, NP Mobile Security, Octa apps, OG Kush, Oriwa, Power Antivirus, Pro Tool Apps, Puce, Radiant Apps World, Rgamewallpaper, Security & Antivirus for Android, Security and Protector for Mobile, ShieldApps, Simply Fantabulous, smallapp, SmartToolsApps, Super Security, TAPI Security Labs, Topi Maxi Group, ToTo Studio, TransApp, UFGAMES, Vasa Pvt Ltd, VSAR, W4VN Team, We Make It Appen, Wingle Apps, Womboid Systems, xplus apps, ZeroApp Ltd., and Zillya! Mobile.
We consider those apps to be risky, as they are either dubious/deceptive or unsafe/ineffective. In a few cases the apps are simply buggy, e.g. because they have poorly implemented a third-party engine. Some apps are clearly dubious, detecting only a handful of very old Android malware samples, and allowing all apps which contain certain strings, making them likely to pass some quick checks and thus be accepted by the app stores.
A number of the above apps have in the meantime already been recognized as Dubious AVs/Trojans/PUA by several reputable mobile security apps – it is to be expected that Google will remove most of them from the Google Play Store in the upcoming months (and hopefully enhance their verification checks, thus blocking other such apps from the store). We would recommend the vendors concerned to remove their apps from the store until they can provide genuine and reliable protection.
The antimalware apps of the following 41 vendors have in the meantime (in the last two months) been removed from the Play Store: androiddeve, Antivirus inc, App-lab, AppsGesture, BestCode, Bethanyzrqcr Zimmermanzisr, Devo669kaptchiia, Diana Randall, DIMOgamesL, Gayle Billick, GoLogix, Joanwy Hartmanebe, JRMedia, katana apps, LHC Lab, Lopez ops Dev Ap Hirox, Millicent Whitehead, Mobile Solution: Antivirus Security, Mobilead Inc., MPSecurityLabs, MtStudio, NCK Corp, now King Apps, Octappis, Ostro Apps, Plus App, prodev2017, Security Lab, Shreeji Tech World, Simple Soft Alliance, SoHDev, Solo Antivirus, SPAMfighter aps, SuperApps Dev GmBH, Superozity, System Security Inc, Tools Security for Mobile, Toolsdev, Total Defense, Uptotop33, and Zexa Software.
Most of the apps removed, as well as the very buggy, unsafe and ineffective apps, appear to have been developed either by amateur programmers or by software manufacturers that are not focused on the security business. Examples of the latter category are developers who make all kinds of apps, are in the advertisement/monetization business, or just want to have an Android protection app in their portfolio for publicity reasons. Apps made by amateurs can be often spotted in the Google Play Store by looking at the options for contacting the authors. Typically, hobby developers will not provide a website address, merely an email address (usually Gmail, Yahoo, etc.). Additionally, most such apps do not provide any sort of privacy policy. Google tries to purge from the Play Store all apps which lack a privacy policy, which helps to get rid of some low-quality apps. Of course, one should bear in mind that not all apps made by amateur developers are necessarily ineffective.
Test Procedure
Description of test system
The Android security solutions tested were checked for their efficacy in protecting against the 2,000 most common Android malware threats of 2017. Manually testing 200+ security products against 2,000 malicious apps is not practicable. Because of this, the test was run on our automated Android testing framework.
Even though the testing process is automated, the framework realistically simulates real-world conditions. This includes testing on physical Android devices (as opposed to emulators), as well as simulation of realistic device usage patterns.
The framework consists of two components: a client app on each of the test devices, and a server application. The client app monitors the status of the device and sends its findings to the server at the end of a test case, to document the testing process. The client monitors file and process changes, newly installed apps and their permissions, as well as reactions of the installed security software to malicious activities on the device. The server remotely controls the test devices via WiFi and organizes the results received by the client applications.
The system scales well with the number of connected clients. This allows a large number of security products to be tested in parallel. To ensure even chances for all participating products, connected clients can be synchronized to start the execution of a test case at the same time. This is especially important for testing recent malware samples, which security vendors may not have encountered yet.
Methodology
The test was performed in January 2018, on Nexus 5 devices running Android 6.0.1 (“Marshmallow”). Each security app was installed on a separate physical test device. Before the test was started, the software testbed on all test devices – Android itself, stock Android apps, plus testing-specific third-party apps – was updated. After this, automatic updates were switched off, thus freezing the state of the test system. Next, the security apps to be tested were installed and started on their respective devices, updated to the latest version where applicable, and the malware definitions brought fully up to date.
If any security application encouraged the user to perform certain actions to secure the device, such as running an initial scan, these actions were performed. If the application offered to activate additional protection functions such as on-install scanning, cloud protection, or detection of Potentially Unwanted Applications (PUA), these features were activated as well. To ensure that all security products could access their respective cloud analysis services, each device was connected to the Internet via a WiFi connection.
Once these steps were taken, a clean snapshot of each device’s storage was created, and the test was started.
Each test case was conducted using the same process:
- Open the Chrome browser and download the malicious sample
- Open the downloaded .apk file using a file explorer app
- Install the malicious app
- Execute the installed app
After each of the above steps, the installed security application was granted enough time to analyze the malicious sample and notify the user of malicious activity on the device.
If, at any point during the execution of a test case, the installed antivirus application detected and blocked the malicious sample, the sample was considered “detected” and the test case was concluded (apps detected after installation were not executed, for instance).
At the end of each test case, the device was reset to a clean state. If the malicious sample had not been executed on the device, the sample was uninstalled and/or deleted from the device storage. If the malicious sample had been run, the clean device snapshot was restored before starting the next test case.
When calculating the protection score for each product, we did not consider at which stage a malware sample was blocked, i.e. whether it was blocked on download, on installation or on execution. The only factor influencing the protection rate is whether the security solution protected the device from being compromised by the malicious sample.
A basic false-alarm test was done, just to check that none of the antimalware products “protects” the system by simply identifying all apps as malicious. Several shady and low-quality apps detected as malware a number of the 50 clean and popular apps from the Google Play Store.
Testcases
For this test, the 2,000 most common Android malware threats of 2017 were used. With such samples, detection rates of between 90% and 100% should be easily achieved by genuine and effective antimalware apps.
Number of tested apps | 204 |
Number of tested malicious APKs | 2000 |
Number of tested clean APKs | 50 |
In total, around 400,000 test runs were performed for this report.
Test Results
Vendor | % |
AegisLab | 100% |
AhnLab | |
Alibaba | |
Antiy | |
Avast | |
AVG | |
AVIRA | |
Baidu DU Apps | |
BaiSi | |
Bitdefender | |
BullGuard | |
CheckPoint | |
Dr.Web | |
Emsisoft | |
ESET | |
F-Secure | |
G DATA | |
Kaspersky Lab | |
McAfee | |
Norton Mobile | |
PCVARK | |
Quick Heal | |
Security Mobile | |
Security Safe Protect | |
Sophos | |
Tencent | |
Trend Micro | |
TrustGo | |
ESTsoft | 99.9% |
Ikarus | |
Webroot | 99.7% |
Ariasecure | 99.5% |
Qihoo 360 | 99.3% |
IntelliAV | 99.2% |
K7 | |
eScan | 99.0% |
Bastiv | 98.8% |
VIPRE | |
REVE | 98.7% |
Security Apps Studio | 98.4% |
WhiteArmor | 98.3% |
Chili Security | 98.1% |
PSafe | 98.0% |
Hi Dev | 97.3% |
Cheetah Mobile | 96.2% |
Panda | 95.7% |
Comodo | 94.5% |
Lookout | 93.9% |
Vendor | % |
Fast Track | 93.4% |
Hyper Speed | |
LBE | |
One App | |
Photo Editor Creative | |
Power Tools Team | |
Security Elite | |
Wecool | |
BangStudio | 92.5% |
MalwareBytes | 87.2% |
Max Mobi Secure | 82.7% |
TG Soft | 82.1% |
Zemana | 78.8% |
Rising | 78.1% |
Google Play Protect | 75.3% |
GizmoLife | 73.2% |
Defenx | 70.4% |
Best Tools Pro | 63.9% |
DevStudio99 | |
MobileAppDev | |
MobiDev Studio | |
ToolsDevelope | |
Z Lock Screen Team | |
NQ | 55.1% |
Trustlook | 51.4% |
Himlamo | 44.6% |
NEWAPPSDEV | |
NightCorp | |
7Labs | 44.4% |
GearMedia | |
High Security Team | |
Vitekco | |
Security Clean Team | 43.8% |
newborntown | |
PICOO Design | 43.6% |
ZONER | 37.6% |
The table above shows the protection rates reached by the 84 products that blocked over 30% of samples. We consider apps that block less than 30% of common Android threats (listed on page 4) to be unsafe to use.
Anti-malware apps detecting under 30% of the 2,000 malicious Android apps are not listed in the chart above – partly for display reasons, but also because we consider them ineffective and unsafe.
Notes
Some products make use of other vendors’ engines (see examples below). While some score the same as the engine vendor’s own product, some do not. According to the licensing developers, this may be caused by several factors, such as different internal settings used by the third-party apps, the use of older engines or different secondary engines, engine implementation and bugs.
- Cheetah Mobile uses an Antiy engine for “heuristic” scans (deactivated by default). The English/International version of Cheetah Mobile would have scored 100% if the “heuristic” engine had been activated. The Chinese version appears to have a bug in the implementation of the Antiy engine.
- CA Uber, Fast Track, Hyper Speed, IOBit, LBE, ONE App, Photo Editor Creative, Power Tools Team, Security Elite, WeCool Security, WeMakeItAppen, and Womboid Studio use the OpenAVL scan engine of Antiy. The quality of the engine implementation varies among the apps.
- Security Mobile and Security Safe Protect use the Tencent scan engine.
- AVG and PSafe use the Avast Qihoo is a major investor in PSafe.
- Chili Security and Emsisoft use an engine made by The Chili Securityapp is basically a rebranded version of an older Bitdefender mobile product – see screenshots below:
During our test, we found that quite a few apps seem to be closely related variants of the same thing, or use a common “AV app template”. In some cases, only the name, logo and colour scheme are different. Examples are shown below:
- 7Labs, GearMedia, High Security Team, Himlamo, NEWAPPSDEV, NightCorp and Vitekco:
- Best Tools Pro, DevStudio99, MobiDev Studio, MobileAppDev, ToolsDevelope Inc, Z Lock Screen Team:
- GO Dev Team, newborntown, Power Antivirus Security, Security Cleaner Team:
- Hyper Speed, ONE App Ltd., Power Tools Team:
- AZ Super Tools, GPaddy Mobile Security, Master VPN, Mobile Antivirus & Security by Netlink, Puce Ltd, Topi Maxi Group, W4VN Team (all of which blocked under 30% of samples):
- Security Elite, Wecool Security Lab
Risky Security Apps
As mentioned in the Tested Products section, some apps were not included in the results table, because we consider them risky. About half of those apps were excluded because of their low malware detection capabilities. The other half blocked many of the malicious samples used in the test, but should in our opinion still be considered risky; in the section below, we explain why we came to this conclusion.
When opening the package files of any of those apps, one can find a suspicious text file in the “assets” subfolder named “whiteList.json”. The following figure shows some of the content of this file:
{ "data": [ { "packageName": "com.google.android.*" }, { "packageName": "com.adobe.*" }, { "packageName": "com.booking" }, { "packageName": "com.facebook.*" }, { "packageName": "com.instagram.*" }, { "packageName": "com.twitter.*" }, { "packageName": "com.whatsapp" }, [...] ] }
The content of the “whiteList.json” file is consistent with the results we found during our false-positive tests: all apps whose package name match this white-list are considered “trusted applications” by these “AV apps”. For example, the whitelisted package name “com.adobe.*”, matches all packages, whose names start with “com.adobe.”. While this entry means that all genuine apps made by Adobe (such as the Acrobat Reader app) will be regarded as safe, this mechanism also allows any malicious app to bypass the security scan, simply by using “com.adobe.*” as its package name.
Apart from the apps on their respective whitelists, the risky “AV apps” block almost all other apps, regardless of whether they were installed from the official Google Play Store or not. Some of them do not even bother to add their own packages to their whitelists, and so even block their own app. If using such an AV app, users can never be sure if any of the other apps on their device are actually malicious, because of the AV app’s “block unless whitelisted” policy. Therefore, we do not consider the protection capabilities of these apps to be appropriate.
In addition to using the same “detection” mechanisms, the user interfaces of these apps look very similar as well. Often only differing in colour, the apps in this category mainly use one of just a few different layouts:
We consider the apps made by the following 38 developers to be deceptive: AV Antivirus Security Ltd, AVC Security, Best Apps Collection, Booster Antivirus, BSM SECURITY, chkitham, Ellena Rehman, Gamma+ Labs, Glagah Studio, Gotechgo, Green Booster, ITIanz iT Solution, lal bazai, Kara Inc, looptoop, MobiCluster, Mobi Fox, MSYSOFT APPS, Muel Dev, NOAH Security, Nozzle Ltd, NP Mobile Security, Octa apps, OG Kush, Oriwa, Radiant Apps World, Rgamewallpaper, Security & Antivirus for Android, Simply Fantabulous, smallapp, SmartToolsApps, Super Security, ToTo Studio, TransApp, UFGAMES, Wingle Apps, xplus apps, and ZeroApp Ltd.
Conclusion
Some of the Android security products in our test blocked so few of the malware samples– in some cases literally none – that they cannot be recommended as anti-malware apps. Additionally, this year we saw a large increase in apps that use questionable detection mechanisms. Combining ineffective and risky anti-malware apps, we consider the majority of the test apps to be unsafe to use.
Some of the apps that were ineffective at blocking malware may have been abandoned by the developer and are thus no longer being updated in the Google Play Store. Whilst such cases cannot be regarded as scams, we consider it irresponsible of the developers not to remove these apps from the Store.
A few products from relatively well-known vendors did not score very well. It is possible that the manufacturers have developed them purely for marketing reasons. That is to say, there is not much money in the Android security-app market, but having an Android app visible in the Google Play Store helps to keep the vendor visible, and may thus promote their other, more profitable products such as Windows security programs.
28 of the products we tested detected 100% of the malware samples; considering that the most common malicious Android apps of 2017 were used, this is what they should do. Most of the vendors that usually take part in independent tests score highly, as their products are regularly scrutinised, and they actively develop them to ensure they are effective.
When it comes to choosing an Android security app, we recommend considering the following factors. Using user ratings is clearly not effective, as the vast majority of users will give their rating based solely on the user experience, without having any idea as to whether the app offers effective protection. Some other reviews will have been faked by developers. Most of the 200 apps we looked at had a review score of 4 or higher on the Google Play Store. Similarly, the number of downloads can only be a very rough guide; a successful scam app may be downloaded many times before it is found to be dubious. Using well-known and reputable, verified vendors is recommended. As well as participating in tests by independent test institutes, such vendors will have a professional website with contact information and a privacy policy. It should also be possible to try the app – typically a few weeks’ trial use is allowed – before purchasing. Users can then assess the usability and any additional features of the product. A number of vendors make very effective free versions of their apps; generally these are more likely to display advertising than the paid version, though this is not always the case.
For additional Android security app tests and reviews, please see:
https://www.av-comparatives.org/mobile-security/
Copyright and Disclaimer
This publication is Copyright © 2018 by AV-Comparatives ®. Any use of the results, etc. in whole or in part, is ONLY permitted after the explicit written agreement of the management board of AV-Comparatives prior to any publication. AV-Comparatives and its testers cannot be held liable for any damage or loss, which might occur as result of, or in connection with, the use of the information provided in this paper. We take every possible care to ensure the correctness of the basic data, but a liability for the correctness of the test results cannot be taken by any representative of AV-Comparatives. We do not give any guarantee of the correctness, completeness, or suitability for a specific purpose of any of the information/content provided at any given time. No one else involved in creating, producing or delivering test results shall be liable for any indirect, special or consequential damage, or loss of profits, arising out of, or related to, the use or inability to use, the services provided by the website, test documents or any related data.
For more information about AV-Comparatives and the testing methodologies, please visit our website.
AV-Comparatives
(March 2018)