LAS VEGAS — Seven Android antivirus apps have or recently had serious security flaws, two German researchers disclosed at the DEF CON 24 hacker conference here today (Aug. 7).
Stephan Huber and Siegfried Rasthofer of the Fraunhofer Institute for Secure Information Technology in Darmstadt said the vulnerabilities permitted exploits ranging from free app upgrades to total hijacking of an Android device. The affected apps came from AndroHelm, Avira, Cheetah Mobile, ESET, Kaspersky, Malwarebytes and McAfee. Except for AndroHelm, the vendors have patched all the flaws.
"Many banks recommend installing mobile antivirus apps to their customers," Huber and Rasthofer said. "But do they really protect us?"
Current Android antivirus apps offer much more than protection against malware, the researchers pointed out. Many apps add a secure browser, protection against spam or a privacy advisor. The most common extra features are anti-theft safeguards, such as the ability to remotely locate, lock or wipe a device that has been lost or stolen.
Most of the apps feature a two-tiered pricing model, with the basic app being free but a yearly subscription fee applying to certain "premium" features. And most of the apps demand many system privileges, which they normally need to intercept and stop malware. However, that high number of system privileges makes antivirus software a target for hackers, who could leverage the software into taking control of a phone.
"What if you could do remote code execution" — hacking from a distance — "on the AV app?" Huber asked. "You might not need root, because the app has so many privileges."
Or, they wondered, could you get an antivirus app's premium features for free? Could you alter the malware scans? Could you abuse the remote-lock function to act as essentially ransomware?
The answer is "yes" to each for at least one of the seven Android antivirus apps tested, Huber and Rasthofer said. They walked the audience through a free premium upgrade for the AndroHelm Antivirus app, which involved backing up the Android device to a PC, substituting a single line of text in the AndroHelm app, then restoring the phone from the backup.
ESET Mobile Security & Antivirus could also be upgraded for free, but the process was more difficult and involved cracking encrypted communications between the app and ESET's own servers.
AndroHelm was subject to hijacking of the antitheft features, which depend on precisely worded SMS commands coming from predesignated "friends'" cellphones and containing specific SMS passwords. But if the anti-theft feature is not turned on, an attacker could wipe the phone by sending the similar commands with the password left blank.
Malwarebytes Anti-Malware for Android, like many other antivirus applications, conducts its malware-signature updates over the plaintext HTTP protocol, which makes the updates vulnerable to a man-in-the-middle attack in which an unseen interloper changes data in transit. The ZIP file containing new Malwarebytes updates is encrypted with a key that's hardcoded into the Malwarebytes app, which the attacker can easily find.
Meanwhile, Kaspersky Internet Security for Android, which also sends malware signature updates over HTTP, can be abused to inject malicious code into definition updates. A man-in-the-middle attack can substitute malicious files for good ones in the update bundle, and structure them in such a way that the malware executes once the Kaspersky app is restarted.
Because the Kaspersky app has such high system privileges, an attacker who hijacks the Kaspersky app can do nearly everything the legitimate user does, including make calls, send texts and go online.
Avira Antivirus Security for Android, Cheetah Mobile CM Security and McAfee Security & Power Booster all also were subject to these or similar flaws, Huber and Rasthofer said. However, they added, each of the vendors had been contacted, and six of the seven had patched the flaws. The holdout was AndroHelm, which is made by a small Russian company.