Today’s evil often comes in the form of ransomware, keyloggers, or spyware, against which AntiVirus applications are usually an end-user’s only means of protection. But current security apps not only scan for malware, they also aid end-users by detecting malicious URLs, scams or phishing attacks. Generally, security apps appear so self-evidently useful that institutions such as online-banking providers even require users to install anti-virus programs.
However, we show that the installation of security applications, at least in the context of smartphones, can sometimes open the device to a number of new attack vectors, making the system more vulnerable instead of less vulnerable to attacks. In recent research we looked at Android security apps from renowned vendors such as Kaspersky Lab, McAfee, Androhelm, ESET, Malwarebytes and Avira. When conducting a study of the apps‘ security features (AntiVirus and privacy protection, device protection, secure web browsing, etc.), we found that a lot of security applications contained critical vulnerabilities. In a simple case, we would have been able to harm the app vendor’s business model by upgrading a trial version into a premium one at no charge. In other instances, attackers would be able to harm the end-user by completely disabling the malware-scanning engine remotely. Or how about accessing confidential data by exploiting broken SSL communication, broken self-developed crypto implementations or through SQL-injections? Yes, we can. On top of all that, we were able to bypass the secure browsing protection and abuse it for code execution. The most alarming findings, however, were security applications that we were able to actually turn into remote access trojans (RATs) or into ransomware.
We looked into the following security applications:
We started the responsible disclosure process for all mentioned security vendors in November 2015 (we released our findings in June 2016).
There were no special reasons why we did not look into other security applications. Therefore, we do not know if other security applications also contain vulnerabilities. There is currently no plan to look into these applications.
For more details, please have a look into our advisories.
How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire
Stephan Huber and Siegfried Rasthofer
In: DEF CON 24, August 2016. (slides, video)
(In-) Security of Smartphone AntiVirus and Security Apps
Stephan Huber and Siegfried Rasthofer
In: VirusBulletin 2016, October 2016. (pdf, slides, video)
