Critical Bug in Android Antivirus Exposes Address Books

android free antivirus apps

Comprehensive testing of 21 free Android antivirus apps revealed big security vulnerabilities and privacy concerns; especially for AEGISLAB, BullGuard, dfndr and VIPRE.

A slew of popular free Android antivirus apps in recent testing proved to have security holes and privacy issues – including a critical vulnerability that exposes user’s address books, and another serious flaw that enables attackers to turn off antivirus protection entirely.

According to an analysis from Comparitech of 21 Android antivirus vendors, three of the apps tested (from VIPRE Mobile, AEGISLAB and BullGuard) had serious security flaws, and seven apps couldn’t detect a test virus. In total, 47 percent of the vendors tested failed in some way.

VIPRE’s popular app was found to have two insecure direct object reference (IDOR) bugs, including a critical flaw that put premium users with address book sync enabled at risk of having their contacts stolen, including full names, photos, addresses and notes with sensitive personal information.

“Using the online dashboard, we discovered it was possible for attackers to access the address books of VIPRE Mobile users with cloud sync enabled,” Comparitech researchers said in a blog posting on Thursday. “Based on our proof-of-concept and the popularity of the app, we estimate over a million contacts were sitting on the web unsecured.”

The flaw was caused by broken or poorly implemented access control, which manifests as an IDOR vulnerability in VIPRE Mobile’s backend.

“The script responsible only checked to make sure the attacker was logged in,” researchers said. “No further checking was done to ensure the request was being performed by the proper device or account.”

The other serious flaw opened the door to an attacker sending fake antivirus alerts.

“Generating fraudulent alerts and sending them to unsuspecting users was trivial,” researchers said. “We found we could edit fields in the alert request to make it say whatever we wanted. We were able to push fake alerts by capturing the request generated when a virus is found, then manipulating the request to change the user ID and other parameters. The result is an entirely real looking virus alert displayed on the victim’s VIPRE Mobile dashboard.”

BullGuard’s app meanwhile also contained a serious IDOR flaw, which meant that all users were vulnerable to an attacker remotely disabling their antivirus protection. Also, the app had a serious cross-site scripting issue (XSS) that would allow attackers to insert malicious code because of a vulnerable

The IDOR vulnerability would allow an attacker to iterate through customer IDs and disable BullGuard on every device.

“We were able to intercept and alter the request to disable BullGuard Mobile antivirus,” the researchers wrote. “Our testing found the request generated when a user shuts off antivirus protection can be captured and altered. By changing the user ID in this request, antivirus protection on any device can be disabled. Access control did not appear to be in place to ensure the correct user was making the request.”

In addition, Comparitech found that one of the scripts responsible for processing new users on the BullGuard website is vulnerable to XSS.

“The script in question doesn’t sanitize any parameters passed to it, which enables an attacker to run malicious code,” they explained.

Attackers could exploit this to display an alert on the page, hijack sessions, harvest personal data or use the website as a platform for phishing campaigns.

And finally, users of the AEGISLAB web dashboard were also at risk from a serious XSS flaw that would open the door to attackers inserting malicious code, because the firm didn’t lock down the app’s dashboard.

“We found several XSS flaws affecting one script running on the domain,” according to the analysis. “Because none of the parameters passed to the script were sanitized, it would have been trivial for an attacker to execute malicious code.”

All three vendors have updated their apps to address the vulnerabilities, according to Comparitech.

In addition to the security issues, many apps were found to fall down on the job when it came to basic detection. AEGISLAB Antivirus Free; Antiy AVL Pro Antivirus & Security; Brainiacs Antivirus System; Fotoable Super Cleaner; MalwareFox Anti-Malware; NQ Mobile Security & Antivirus Free; Tap Technology Antivirus Mobile; and Zemana Antivirus & Security failed to detect a test virus.

“The Metasploit payload we used attempts to open a reverse shell on the device without obfuscation,” explained the researchers, in a posting on Thursday. “It was built for exactly this sort of testing. Every Android antivirus app should be able to detect and stop the attempt.”

On the privacy front, many of the “free” apps display targeted ads. So, the researchers also used information from the Exodus mobile privacy database to look for dangerous permissions and advertising trackers.

“In our analysis, dfndr security was far and away the worst offender,” the firm said. “The sheer number of advertising trackers bundled with the app is impressive. As far as we can tell, dfndr puts users search and browser habits up for sale on every ad exchange there is.”

dfndr also requests permission to access fine location data, access the camera, read and write contacts, look through the address book, and grab the IMEI (unique ID) and phone number of the device, according to the analysis.

The vendor did not immediately return a request for comment.

The issues found are a testament to the fact that mobile malware is still not a high-volume threat, the researchers said.

“In 2018, Kaspersky Labs reported it blocked 116.5 million virus and malware infections on Android and iOS devices; that sounds like a huge amount but, according to their numbers, only 10 percent of users in the U.S., 5 percent in Canada, and 6 percent in the U.K. needed to be protected from a mobile threat last year,” explained the analysts. “So vendors focus on adding features to differentiate themselves, sometimes instead of improving their codebase. And they clearly don’t always do a great job. Every vulnerability we found was with a system incidental to the actual virus scanning.”

Mobile attacks will be a focus next week at Black Hat 2019, taking place Aug. 7 and 8 in Las Vegas. Be sure to follow all of our Black Hat and DEF CON 27 coverage right here in Threatpost’s special coverage section.

Suggested articles


  • VIPRE Security on

    This is a great article that addresses the need for mobile security to become a greater focus among all cybersecurity vendors. We are excited to say that we will be releasing something to replace VIPRE Mobile Security very soon. We have begun the process of to end-of-life this very dated, old technology to make way for something new and extremely more effective.
  • VIPRE Security on

    Also, to reiterate what the article states. VIPRE has already patched the mentioned flaws in the security product.
  • Anonymous on

  • Larry Smith on

    What are the other 17 AV spps? BTW, your Verify sucks! The images were so grainy, it was difficult to see.
    • Tara Seals on

      These are the ones they tested: AEGISLAB Antivirus Free Malwarebytes Security: Virus Cleaner, Anti-Malware AVL Pro Antivirus & Security APUS Security - Clean Virus, Antivirus, Booster Brainiacs Antivirus System BullGuard Mobile Security and Antivirus Phone Cleaner Comodo Free Antivirus, VPN and Mobile Security Emsisoft Mobile Security ESET Mobile Security & Antivirus Dr.Capsule - Antivirus, Cleaner, Booster Fotoable Antivirus & Cleaner NQ Mobile Security & Antivirus Free Zemana Antivirus & Security MalwareFox Anti-Malware Antivirus Mobile - Cleaner, Phone Virus Scanner dfndr security: antivirus, anti-hacking & cleaner Privacy Lab Antivirus & Mobile Security Webroot Business Security VIPRE Mobile Security V3 Mobile Security
  • Sir Trunk on

    So, you're admitting your product is currently crap, but you'll keep selling it until you can release this magically better version?
  • Brian on

    Sir Trunk, is that response really necessary? VIPRE is a brand that I have never heard much about, but the fact that they care enough about their product and their consumers to respond to this article says something. I mean... I personally think mobile security products are all garbage, and the best defense is user education and knowing what NOT to click / install, and using updated versions of iOS or Android on all devices.
  • Samantha on

    Here is an official statement from PSafe’s CEO, Marco DeMello regarding this article: "We never have and never will sell user data. We don't even collect any personally identifiable information (PII) and all other data, again, is used locally for security purposes and never sold to anyone. The advertising software development kits (SKDs) that dfndr uses are implemented from Google, Facebook, Mopub and in no case do we ever share any user data with these SDKs. As far as the "dangerous permissions and advertising trackers," that the Comparitech report says it looked for are concerned, the dfndr app only asks for geo-location, camera, IMEI etc. permissions for an anti-theft feature which is 100% opt-in, and allows users to remotely wipe their phones. Only the owner can do that, PSafe cannot. This feature also allows users to receive location data and pictures of intruders if their phones are lost or stolen. Only users that activate the anti-theft feature provide our dfndr app with these permissions, and only for that purpose. Since January of this year we have blocked over 283 million phishing and 30 million malware attacks against our users. We detect, notify, and help users recover from leaked or stolen identities and credentials over 30K times per day. We’re one of the good guys". Hopefully that fits in their comment section!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.