One of the problems with enterprise mobile BYOD efforts is that corporate apps — and lots of corporate data, including sensitive intellectual property — must coexist on the same device with whatever employees choose to download on the personal side. That’s far from ideal, but even worse is if employees choose to download a second antivirus program. Unlike doubling up on most apps (two VPNs, two word processors, two email programs, etc.), antivirus programs often conflict and fight each other, generating false positives and other bad results.
Unlike two deadbolts on a door, doubling up on security not only doesn’t work with antivirus, it can actually sharply weaken security. This all assumes that both antivirus programs are professional, effective and well-intentioned. But that’s often not the case. There are quite a few free antivirus programs out there, and they are disproportionately the ones employees opt to download. After all, if the company has already installed a high-level antivirus on the phone, why would an employee pay to install a second? But a free antivirus program is much more tempting.
That’s why I found a new report from Comparitech so alarming. Not only are free antivirus filled with adware and engage in lots of privacy violations, but they are often not even very good at detecting viruses, which is supposed to be their whole raison d’être. Indeed, the Comparitech testing showed that almost half (47%) of the 21 free antivirus products that it tested (all on Android, for this report) failed.
“We found serious security flaws in three of the apps we tested and found seven apps that couldn’t detect a test virus. In total, 47% of the vendors we tested failed in some way,” Comparitech said in a blog post. But the specifics is where things got frightening — and unlike some others in this space, Comparitech named names.
Seven free Android antivirus couldn’t detect the presence of a known virus. “The Metasploit payload we used attempts to open a reverse shell on the device without obfuscation. It was built for exactly this sort of testing. Every Android antivirus app should be able to detect and stop the attempt,” the blog post said. The apps that couldn’t detect Metasploit, according to Comparitech, were AEGISLAB Antivirus Free, Antiy AVL Pro Antivirus & Security, Brainiacs Antivirus System, Fotoable Super Cleaner, MalwareFox Anti-Malware, NQ Mobile Security & Antivirus Free, Tap Technology Antivirus Mobile, and Zemana Antivirus & Security.
“People are enticed by free,” said Paul Bischoff, a lead researcher with Comparitech, in a Computerworld interview.
The way most of these apps — if not all of them — generate revenue is via a combination of selling ads and sensitive user information. Those efforts raise privacy concerns, Bischoff said.
“In our analysis, dfndr security was far and away the worst offender. The sheer number of advertising trackers bundled with the app is impressive. As far as we can tell, dfndr puts users’ search and browser habits up for sale on every ad exchange there is,” the blog post noted. “Dfndr also requests permission to access fine location data, access the camera, read and write contacts, look through the address book, and grab the IMEI (unique ID) and phone number of the device.”
Another privacy problem child, according to Comparitech, is VIPRE. “Using the online dashboard, we discovered it was possible for attackers to access the address books of VIPRE Mobile users with cloud sync enabled. Based on our proof-of-concept and the popularity of the app, we estimate more than a million contacts were sitting on the web unsecured,” the blog post said. “The flaw was caused by broken or poorly implemented access control, which manifests as an insecure direct object reference (IDOR) vulnerability in VIPRE Mobile’s backend. The script responsible only checked to make sure the attacker was logged in. No further checking was done to ensure the request was being performed by the proper device or account.”
BullGuard was another antivirus program that fared horribly in testing, Comparitech said, adding that it worked with the vendor, which apparently fixed the hole.
“BullGuard Mobile Security was affected by an IDOR vulnerability, which allowed a remote attacker to disable antivirus protection. We found it would be trivial for an attacker to iterate through customer IDs and disable BullGuard on every device. Our testing found the request generated when a user shuts off antivirus protection can be captured and altered,” the blog post said. “By changing the user ID in this request, antivirus protection on any device can be disabled. Access control did not appear to be in place to ensure the correct user was making the request. We discovered one of the scripts responsible for processing new users on the BullGuard website is also vulnerable to XSS. The script in question doesn’t sanitize any parameters passed to it, which enables an attacker to run malicious code. In this case, it was trivial to display an alert on the page. In other cases, adversaries might use this vulnerability to hijack sessions, harvest personal data, or carry out a number of other attacks. For example, high trust websites like BullGuard make an ideal platform for phishing campaigns.”
Comparitech added that the BullGuard hole was impressively bad. “The IDOR vulnerability is as embarrassing as it gets for an antivirus vendor. Users rely on antivirus software as a line of defense for their devices, so when it can be disabled silently and remotely, that’s a devastating blow. BullGuard repaired both vulnerabilities, now they need to work on repairing their reputation with users.”
Bischoff said the research results weren’t all bad, noting that slightly more vendors fared fine than failed. Asked which of the free-antivirus firms tested fared best, Bischoff said “MalwareBytes is good, Komono is good.”
This report is useful for enterprise IT because of an issue of persuasion. If the very legitimate argument that installing a second antivirus program — any second antivirus program — is a very bad idea isn’t sufficient to stop this nonsense in a BYOD environment, making the argument that many of these programs are harmful might do the trick.