Numerous Android Antivirus Apps Found to Contain Critical Security Vulnerabilities

An antivirus app should ideally keep the phone safe from security threats. However, researchers have found numerous Android antivirus apps exhibiting security vulnerabilities. One of these apps even exposes the users’ address book.

Flaws Discovered In Android Antivirus Apps

Researchers from Comparitech have identified numerous antivirus mobile apps having serious security issues. They tested 21 different applications, of which, around 47% failed their tests.

As stated in their blog,

We found serious security flaws in three of the apps we tested, and found seven apps that couldn’t detect a test virus.

In summary, they found three apps containing security vulnerabilities. Of these, the app named ‘VIPRE’ had a critical IDOR (insecure direct object reference) flaw that exposed contacts from the users’ address book.

Using the online dashboard… it was possible for attackers to access the address books of VIPRE Mobile users with cloud sync enabled.

Upon exploit, the flaw allowed downloading users’ contacts as VCARDS having sensitive information. According to researchers,

Many of the leaked contacts contain full names, photos, addresses, and notes with sensitive personal information.

VIPRE also had another flaw that could allow an attacker to send fake antivirus alerts.

The other two apps contained vulnerabilities include BullGuard and AEGISLAB. In the case of BullGuard, the app had two flaws – an XSS flaw, and the other allowing an attacker to remotely disable the app. Whereas, in the case of AEGISLAB, the app’s we dashboard was vulnerable to XSS attacks.

Researchers have shared the details of these vulnerabilities, along with the relevant PoC’s in their blog.

In addition, the researchers also identified seven different apps that failed to detect a test virus. Moreover, they also noticed how an app ‘dfndr security’ asked dangerous permissions.

dfndr puts users search and browser habits up for sale on every ad exchange there is.
dfndr also requests permission to access fine location data, access the camera, read and write contacts, look through the address book, and grab the IMEI (unique ID) and phone number of the device.

What Now?

Comparitech confirmed that all three apps, VIPRE, BullGuard, and AEGISLAB have fixed the vulnerabilities.  However Privacy Lab Antivirus & Mobile Security, are no more on the Play Store, since they failed to detect the test virus file.

For now, the only viable workaround to protect oneself from such issues is to make sure to download apps from reputable developers only. This applies to antivirus apps as well.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients