The Smartphone market grew enormously over the last five years and the mobile malware evolved rapidly, too. Right now there are over 450.000 apps in the Android market, where as there were less than 100.000 in July 20101. This makes it the fastest growing software market overall. With the rise of new apps, the number of malware increases as well. Figure 1 shows the growth of the AV-TEST Android malware collection. The increasing curve is similar to what we’ve seen for PC malware in the last years. The threats for Android include Phishing- and Banking-Trojans, Spyware, Bots, Root Exploits, SMS Fraud, Premium Dialers and Fake Installers. There have also been reports about Download-Trojans – apps that download their malicious code after installation – which means that these apps can’t be easily detected by Google’s Bouncer technology during publication in the Google Android Market. Our collection used for this test contains more than 20 different Android malware families, which cover each of the previously named threats.
In November 2011 we’ve revealed that many Antivirus apps, which are available for free in Google’s Android Market, don’t provide a sufficient malware protection for your Android mobile. This time we are trying to cover the good and the bad and started reviewing as many Android Anti-Malware apps as we could find, regardless whether an app requires a specific Android version or device. These apps include free and non-free programs, intended for personal use. This report aims to give an impression of the malware detection rates. As an independent test institute, we aren’t in the position to recommend a specific product, but you can certainly use our report to find your personal favorite. However please bear in mind, that malware may not the only or the most important threat to your device. Even if a product scores poorly in malware detection it may have other convenient features, such as remote lock and wipe, backup and phone locating, that make it useful for your purposes. It is also possible to run two or more security apps on your device at the same time, using only the best features of the single apps.
2. Test report
The large number of tested apps required a scalable test environment, so we decided to use the Android emulator supplied by the Android SDK as basis for the review. The emulator has some advantages in contrast to a real device. There is root-access without exploiting the device and you can easily switch between API versions and screen sizes. It has also some disadvantages. You don’t have a real phone number, which might be required to activate an app through SMS, and the emulated 3G connection may have a too high latency for querying the cloud of some vendors. While the advantages of the emulator make testing more comfortable, the disadvantages limit the number of apps, which could be properly tested. To get around this limitation, the apps, which didn’t work in the emulator, were tested on a real device and all emulator results were cross checked and verified on a real device. The emulator was set up with API level 10 (Gingerbread, Version 2.3) and for non-emulated testing we used a Samsung GalaxyTab (GT-P1010) with Froyo (Version 2.2) and a Samsung Galaxy Nexus (GT-I9250) with Ice Cream Sandwich (Version 4). The products were updated to their latest available versions/signature updates and were allowed to connect to their cloud during the test. The real devices were flashed to factory default settings after every test to provide each product the same clean environment.
Among the tested apps we saw two different approaches for the on-demand scan. While many apps simply scan the complete device storage, some other apps scan installed apps and important files only. The latter were not able to scan the malware set with 618 malicious APK-files as it was stored on the SD card. Therefore, we tested the real-time protection feature of those apps instead. That means that all malware apps in our sample set were installed on a device or emulator one by one. After an app has been installed, the tester waited for feedback of the real-time protection, which should pop up if it finds a malicious app. In case of an undetected sample, it was uninstalled manually. This is a time consuming approach and may not work in the future with larger sample sets (see Fig. 1).
Regarding the detection rates, it makes no difference whether a malicious app is detected by an on-demand scan or by the real-time scan, when the app is installed. From the testers’ point of view, an on-demand scan with many samples is much easier to realize than an on-access scan. However from the user’s point of view the only criterion is protection, no matter at which point and how this takes place.
After an on-demand scan has been completed and all detections were removed the testers saved the remaining files, because the reporting abilities weren’t consistent among all apps. The files that were left over and have not been modified were flagged as “not detected”. In case of the on-access testing, the testers wrote their own report since the samples were tested one by one. With the knowledge of which specific files have been detected by a scanner, we were able to analyze the scan results based on malware families. The family based analysis can help vendors to improve the protection for malware families with low detection rates. If the results would only provide a total, absolute detection rate, it would be impossible to notice if an app that scored well missed an entire malware family or not. So this way of displaying the results gives both the reader and the vendor much more insight. Furthermore this helps to decide whether a product that doesn’t score 100% is still a good choice, e.g. because it misses on a malware family that is no threat to a specific user group or environment.
In this report no exact detection rates are given, instead the products are grouped into five different categories, referring to different ranges of detections (Fig. 2 and Fig. 3). The first category contains products that detected over 90%, the second category 90% to 65%, the third 65% to 40%, the fourth everything less than 40% but above 0% and finally the last group contains the products that didn’t detect anything.
There are several reasons for doing that:
- The number of malware samples is still fairly small
- Determining the prevalence of malware apps is difficult
- Malware apps are quickly removed from the market (and even remotely from the device)
This all comes down to one issue: It can happen very easily that a sample set is distorted by samples that are not really relevant anymore or were never at all. It is impossible for us to measure the prevalence of malware apps. It is also not possible to determine when and how long they have been a threat to the user. Therefore we identified the most widely known malware families and primarily used those for the test. Only malicious apps that we have discovered between August and December 2011 have been included in the test set. A few further malicious apps which don’t belong to the listed families have been put in a category called “Other” and represent other families. Even with those precautions it is possible that malware samples that are not suitable for this test are included. Already 30 wrongly chosen samples could change the result by 5%. In order to avoid too heavy effects from these issues, the results are categorized. However, by looking at the individual family detections it is still possible to get a fairly accurate picture of the absolute detection rate.
The products were distributed over all detection ranges as shown in Figure 3.
3. Test results
During February and March 2012 we reviewed 41 different Android Anti-Malware solutions. The test results are shown in Figure 4³. The best products in our tests (with detection rates of 90% and above) come from the following top 10 companies, listed in alphabetic order: Avast, Dr. Web, F-Secure, Ikarus, Kaspersky, Lookout, McAfee, MYAndroid Protection, NQ Mobile and Zoner. Users of products made by these companies can be assured that they are protected against malware.
Products with a detection rate of between 65% and 90% can also be considered to be very good and have the potential to join the group of best products above if small changes are made to the set of malware tested. Some of these products only fail to detect just one or two malware families that may not even be prevalent in certain environments. The following 13 products, listed in alphabetic order, fall into this category: AegisLab, AVG Mobilation, Bitdefender, BullGuard, Comodo, ESET, Norton, QuickHeal, Super Security, Total Defense, Trend Micro, Vipre and Webroot. It should be noted that Bitdefender, ESET, Trend Micro and Vipre missed the top category by just a few samples. The average family detection rate for these four products was in the area of 88.1% to 89.9%.
BluePoint, G Data and Kinetoo fall into the third category, namely that of products with a detection rate of between 40% and 65%. It is possible that the manufacturers of these products do not yet have a sufficient infrastructure that enables them to collect a wide range of malware or that they focus on a local market. These products provide reliable malware protection against a few families,but have trouble dealing with and detecting others. It can be expected that these products will improve when their manufacturers focus on a wider variety of malware samples.
The fourth category, which is used for products with a detection rate of less than 40%, does not contain any products from well-known anti-virus protection manufacturers. Some of the products in this category also performed below average in our last test. We have now reviewed two other products that are listed in this final category and we could not clearly determine whether or not they correctly scanned the set of malware test or whether they were actually able to detect anything at all. We were therefore unable to record a detection rate when using our set of well-known samples or the EICAR test file.
Even in the on-access tests these products had no detections. So it is safe to assume that these products really don’t detect anything, but we still wanted to point out the possibility of a flaw in our testing methodology.
The malware family based analysis in Figure 5 shows that some products miss the top group only due to their low detection of one or two malware families. You can expect better signatures for these families to be added in the near future. The detection of specific families can also depend on each vendor’s definition of malware. Some families might only be annoying advertisement apps, while others include real malicious code, which can lead to monetary damage or data loss. Therefore some vendors may decide to not detect certain potentially unwanted, but not clearly malicious, apps.
4. Testing issues
Despite the fact that some apps weren’t able to scan our sample set on the SD card and therefore have to be tested in a time consuming on-access test, we were also faced with apps which couldn’t delete all detections automatically. They didn’t even provide a “Do it! And never ask me again!” option in the case of more than one malware detection. This fact led to testers clicking a “remove”-button several hundred times. While such options are very common in desktop applications, they aren’t in the Android world yet. Also scan reports couldn’t be saved within most of the tested apps. Some apps use SQLite databases to save their scan results and we were able to collect the corresponding db-files from the emulators only. As accessing those files requires root privileges, they weren’t collected from the real devices. The average user shouldn’t miss such features, as its device should never be infected with hundreds of malicious apps, but those simple functions would make a testers life much easier.
As pointed out before, there are also apps which use their cloud to detect malware. While this worked flawlessly with most products, both in emulated environments as well as on a real device there were a few exceptions. We have seen products that were not able to query their cloud in the emulator at all, even if full internet access was provided. There were also products that did have some trouble on a real device. This might be due to latency issues and could only be resolved by repeated tests until no further problems occurred.
5. Conclusion
Even if Google now checks all apps on its Android Market, you should consider installing a security app, because nowadays the malware authors are able to load their malicious code after a seemingly clean app has been installed. Regarding the detection rates, you can trustfully choose from at least 17 products to protect your Android device. What you should also have in mind when choosing your mobile security app are additional functions such as backup and anti-theft protection (e.g. find your lost device or wipe all data remotely).
To keep your device free of malware even without a security app, you should install apps only from trusted sources, like the Google Android Market or the Amazon Appstore for Android. Read the comments carefully and check whether the required permissions are reasonable (e.g. a game usually shouldn’t need the permission to read or write SMS unless its description lists the specific features using these permissions). As it may take between two to four weeks until Google removes malicious apps from its Android Market, you should also be careful with new apps on the market. Wait until apps are well-established, e.g. they were downloaded several thousand times and have many good ratings, or visit the developer’s website, which should at least provide contact information.
In most cases when there is a free (often called Lite) and a paid version, the malware detection capabilities are the same. So if you are just looking at the detection rates, you can take the Lite result and apply this to the paid version and vice versa. Another finding of the test is, that the well known Desktop IT vendors perform above the average. Even the worst products from those vendors are still better than most of the specialized mobile security software vendors.
For more information, please refer to http://www.av-test.org/fileadmin/pdf/avtest_2012-02_android_anti-malware_report_english.pdf
