A slew of popular free Android antivirus apps in recent testing proved to have security holes and privacy issues – including a critical vulnerability that exposes user’s address books, and another serious flaw that enables attackers to turn off antivirus protection entirely.
According to an analysis from Comparitech of 21 Android antivirus vendors, three of the apps tested (from VIPRE Mobile, AEGISLAB and BullGuard) had serious security flaws, and seven apps couldn’t detect a test virus. In total, 47 percent of the vendors tested failed in some way.
VIPRE’s popular app was found to have two insecure direct object reference (IDOR) bugs, including a critical flaw that put premium users with address book sync enabled at risk of having their contacts stolen, including full names, photos, addresses and notes with sensitive personal information.
“Using the online dashboard, we discovered it was possible for attackers to access the address books of VIPRE Mobile users with cloud sync enabled,” Comparitech researchers said in a blog posting on Thursday. “Based on our proof-of-concept and the popularity of the app, we estimate over a million contacts were sitting on the web unsecured.”
The flaw was caused by broken or poorly implemented access control, which manifests as an IDOR vulnerability in VIPRE Mobile’s backend.
“The script responsible only checked to make sure the attacker was logged in,” researchers said. “No further checking was done to ensure the request was being performed by the proper device or account.”
The other serious flaw opened the door to an attacker sending fake antivirus alerts.
“Generating fraudulent alerts and sending them to unsuspecting users was trivial,” researchers said. “We found we could edit fields in the alert request to make it say whatever we wanted. We were able to push fake alerts by capturing the request generated when a virus is found, then manipulating the request to change the user ID and other parameters. The result is an entirely real looking virus alert displayed on the victim’s VIPRE Mobile dashboard.”
BullGuard’s app meanwhile also contained a serious IDOR flaw, which meant that all users were vulnerable to an attacker remotely disabling their antivirus protection. Also, the app had a serious cross-site scripting issue (XSS) that would allow attackers to insert malicious code because of a vulnerable
The IDOR vulnerability would allow an attacker to iterate through customer IDs and disable BullGuard on every device.
“We were able to intercept and alter the request to disable BullGuard Mobile antivirus,” the researchers wrote. “Our testing found the request generated when a user shuts off antivirus protection can be captured and altered. By changing the user ID in this request, antivirus protection on any device can be disabled. Access control did not appear to be in place to ensure the correct user was making the request.”
In addition, Comparitech found that one of the scripts responsible for processing new users on the BullGuard website is vulnerable to XSS.
“The script in question doesn’t sanitize any parameters passed to it, which enables an attacker to run malicious code,” they explained.
Attackers could exploit this to display an alert on the page, hijack sessions, harvest personal data or use the website as a platform for phishing campaigns.
And finally, users of the AEGISLAB web dashboard were also at risk from a serious XSS flaw that would open the door to attackers inserting malicious code, because the firm didn’t lock down the app’s dashboard.
“We found several XSS flaws affecting one script running on the my2.aegislab.com domain,” according to the analysis. “Because none of the parameters passed to the script were sanitized, it would have been trivial for an attacker to execute malicious code.”
All three vendors have updated their apps to address the vulnerabilities, according to Comparitech.
Virus Detection and Privacy
In addition to the security issues, many apps were found to fall down on the job when it came to basic detection. AEGISLAB Antivirus Free; Antiy AVL Pro Antivirus & Security; Brainiacs Antivirus System; Fotoable Super Cleaner; MalwareFox Anti-Malware; NQ Mobile Security & Antivirus Free; Tap Technology Antivirus Mobile; and Zemana Antivirus & Security failed to detect a test virus.
“The Metasploit payload we used attempts to open a reverse shell on the device without obfuscation,” explained the researchers, in a posting on Thursday. “It was built for exactly this sort of testing. Every Android antivirus app should be able to detect and stop the attempt.”
On the privacy front, many of the “free” apps display targeted ads. So, the researchers also used information from the Exodus mobile privacy database to look for dangerous permissions and advertising trackers.
“In our analysis, dfndr security was far and away the worst offender,” the firm said. “The sheer number of advertising trackers bundled with the app is impressive. As far as we can tell, dfndr puts users search and browser habits up for sale on every ad exchange there is.”
dfndr also requests permission to access fine location data, access the camera, read and write contacts, look through the address book, and grab the IMEI (unique ID) and phone number of the device, according to the analysis.
The vendor did not immediately return a request for comment.
The issues found are a testament to the fact that mobile malware is still not a high-volume threat, the researchers said.
“In 2018, Kaspersky Labs reported it blocked 116.5 million virus and malware infections on Android and iOS devices; that sounds like a huge amount but, according to their numbers, only 10 percent of users in the U.S., 5 percent in Canada, and 6 percent in the U.K. needed to be protected from a mobile threat last year,” explained the analysts. “So vendors focus on adding features to differentiate themselves, sometimes instead of improving their codebase. And they clearly don’t always do a great job. Every vulnerability we found was with a system incidental to the actual virus scanning.”
Mobile attacks will be a focus next week at Black Hat 2019, taking place Aug. 7 and 8 in Las Vegas. Be sure to follow all of our Black Hat and DEF CON 27 coverage right here in Threatpost’s special coverage section.