Improving Android Antivirus Efficacy Testing: Detection Upon Download

Real-life Infection Scenarios

In a real-life typical scenario, device infection is a multi-step process (we are not talking here about zero-click or zero-day exploits). A typical infection chain involves the user having to disable a lot of built-in Android safeguards. For instance, turn off Play Protect, or allow apps from external untrusted sources.

As openness and the ability to change security settings in the operating system are a fundamental element of the Android philosophy, users are able to carry out these actions with ease, often being instructed how to do so.

To make matters worse, when the infection chain reaches the point when the piece of malware is installed and started for the first time, antivirus software (AV) tends to lose its edge. AVs effectively become “just another app”, with no chance to access the running processes or memory content. They simply do not have the influence they would usually have on Windows devices. Therefore, once a piece of malware has been installed and is being run, it is usually game over on an Android device.

Therefore, the earlier an AV intervenes in the chain of infection, the better. However, even as of late 2021, many AVs focus on one crucial point for detection, and that is the short time window between the app installation and the first time the user starts the newly installed app. As such, detection after installation acts as a last safeguard, and at this stage, AVs are much less effective in protecting the user.

Detection upon download

A typical attack involves the actual malicious sample being downloaded and then installed manually. APKs are basically zip files, therefore while being downloaded sequentially they can be analysed to some extent, but the user is unable to install them at that point. That would offer the ideal moment for intervention, though a lot of AVs miss the opportunity and do not engage detection mechanisms for APKs during download.

In our opinion, an AV that catches malware during download fares better than one that allows installation and then warns the user about the potential consequences of actually starting the app. Therefore, there are differences between 100% efficacy AVs.

Our updated Android test methodology, Android, the Next Testbed (ANT for short) will highlight whether Android antivirus brands prevent malicious apps from being downloaded. Therefore, for any given test case, there are four potential outcomes:

• Detected during download: The user is warned while the download is taking place.
• Detected after download: The user is warned after the download has finished, but the user has not yet installed the application.
• Detected after installation: The user is warned after the app has been installed. (Note that this is the “Pass” level for our current methodology)
• Miss: The app has been downloaded and installed and the user has not been warned.

The ANT methodology will debut in Q4 of 2021, stay tuned for details. If you would like to feature in our Android Antivirus Efficacy Test panel, please get in touch. You can read our latest Android Efficacy Assessment report here.