Blog
Prachi Sudame

The Free Mobile Anti-virus you are using can be a Fake!

September 9, 2019
21
Estimated reading time: 4 minutes

Quick Heal Security Labs recently spotted multiple Fake Antivirus Apps on Google Play Store. What’s more alarming, is that one of these fake AV Apps has been downloaded 100000+ times already. These Apps appear to be genuine Anti-virus/virus-removal Apps with names like Virus Cleaner, Antivirus security, etc., but do not have any such functionality. As per our analysis, the main purpose of these Apps is to show advertisements and increase the download count.

These Apps mimic the functionalities of a real Anti-virus App and have functions like Scan Device for Viruses. As per our analysis, these Apps don’t have any AV engines or scan capabilities except a predefined list of Apps marked as malicious or clean. This list appears to be static and we haven’t seen it getting updated during our analysis. These Fake AV Apps don’t have any functionalities related to malware scanning or identifying any other security issues. These Apps only show a fake virus detection alert to the user and eventually show advertisements.

Fig.1 – Fake Mobile AV & Virus Removal Apps

The interesting part of these applications is that they detect themselves as High Risk Applications.

Fig.2Fake Mobile AV App detecting itself as High Risk Application

All these Fake AV Apps have common functionalities as mentioned below –

The Fake AV App contains predefined package lists, like whiteList.json with few whitelist package names, blackListPackages.json with few blacklist package names and blackListActivities.json with a list of blacklisted activities. This list is used for actual scanning and to show final scan results.

Fig. 3 – Predefined static lists of Whitelisted, Blacklisted Apps and actions
It also contains a list of predefined permissions and uses it to show risks associated with other Apps.
Fig. 4 – Predefined list of permissions 

Following code snippet shows that it checks installed package names against the pre-defined static Whitelists. Interestingly, this is the reason why it detects itself as High-Risk Application because its own package name is not present in whitelist.json.

Fig. 5 – Code to parse JSON file
Here is the list of Fake AV Apps reported to Google by Quick Heal Security Labs. Google has removed these Apps from the Play Store now-

Fig. 6 – IOCs

Above applications disguise as “security” or “Antivirus” in their name and do nothing related to Security. As explained above, they work only on a pre-defined static Blacklist/Whitelist of Apps and permissions. This might in-turn harm user’s mobile because they don’t have any capabilities to detect real malware and give a false impression of being protected to the end users. This static set of Blacklist/Whitelist and absence of any update mechanism, confirms that these are Adwares disguised as an Anti-Virus or security related App. The download count of these applications is alarming. This shows how easy it is for a malware author to entice end users into downloading junk Apps.

Quick Heal Total Security for Mobile successfully detects these applications as –

Android.Blacklister.A (PUP) and Android.FakeAV.E (PUP).

While, anything that comes FREE might come across as a temptation for you to buy, remember that FREE can also be FAKE! So, beware that you don’t fall prey to the free security software available on Play Store. Go only for trusted brands like Quick Heal when it comes to guaranteed security of your device.

How to stay safe from fake mobile apps –

1. Check an app’s description before you download it.

2. Check the app developer’s name and their website.If the name sounds strange or odd, you have all the reasons to suspect it.

3. Go through the reviews and ratings of the app. But, note that these can also be faked.

4. Avoid downloading apps from third-party app stores.

5. Use a reliable mobile antivirus (like Quick Heal Total Security), that can prevent fake and malicious apps from getting installed on your phone.

Have something to add to this story? Share it in the comments.

Prachi Sudame
About Prachi Sudame
Prachi is an Android Malware Analyst at Quick Heal Technologies Ltd.. Her interests include Android reverse engineering and malware...
Articles by Prachi Sudame »

21 Comments

Leave a Reply to Glofosnet Digital Cancel reply

Your email address will not be published.

CAPTCHA Image

  1. AbdulSalam MohamedSeptember 13, 2019 at 6:49 PM

    Many of our friends make rash decisions to install anti virus applications without much thinking or carefully examining the real nature of the said applications and thereby exposing themselves to great losses and running into dire difficulties. In these circumstances the warning by Prachi is quite timely and worthwhile.
    It’s high time that we should be a bit more vigilant while handling the so called ‘fishing lines’ of Antivirus soft wares..
    Prof E A Salam

    Reply
  2. Sanjeev RajanSeptember 13, 2019 at 7:39 PM

    Thanks for the very important information.

    Reply
  3. Mohd Aurangazeb ShahSeptember 18, 2019 at 12:39 PM

    Very useful

    Reply
  4. Ravi PatoliyaSeptember 18, 2019 at 4:26 PM

    This blog is very useful. Thank you for that.

    Reply
  5. Sumit SachdevaSeptember 19, 2019 at 12:42 PM

    Good

    Reply
  6. Hello Prachi Taai,

    Thanks for giving detailed info on Fake Antivirus applications on Google play.

    Pl. recommend which Antivirus appl for reliable for android mobile for the benefit of users.

    Greeting and regards.

    Ashok Kadam

    Reply
  7. It’s true

    Reply
  8. good

    Reply
  9. Thanks a lot to aware us…

    Reply
  10. Good protection for mobile phones.

    Reply
  11. Kuldeep SinghOctober 10, 2019 at 7:40 PM

    Supper

    Reply
  12. Useful information. Thanks Prachi mam.

    Reply
  13. Abhay chauhanOctober 19, 2019 at 1:58 PM

    good

    Reply
  14. chandrasekharOctober 28, 2019 at 8:31 PM

    Good information.

    Reply
  15. Devi Chand SainiNovember 1, 2019 at 6:17 PM

    Thanks for the news. I trust only quick heal av

    Reply
  16. Kuldeep KumarNovember 5, 2019 at 7:55 PM

    Thanks for important notice

    Reply
  17. Good

    Reply
  18. mahendra kaleNovember 11, 2019 at 11:05 AM

    Thank you for sharing with us very important information regarding anti virus…

    Reply
  19. Shantanu NemaNovember 13, 2019 at 7:39 PM

    Absolutely true.
    Before Quickheal, even I had such a fake app. It reported numerous threats daily and cleared more than 1 gb clutter everyday. Today I realized that it was a fake one, seeing it on the list― Smart antivirus and security, though I can’t find it on Google Play now.
    Thanks to quickheal

    Reply
  20. Dinesh patelNovember 28, 2019 at 5:48 AM

    Excellent artical
    I like more also publish in social media thanks for uplifting my knowledge base. Thanks entire quickheal team.
    Dineshbhai Patel

    Reply