Talk by Stephanie Vanroelen at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/ZFJFW8/ This talk is about top anti-virus apps on Mobile. An in depth look on how they work and what they do. Do they add to or break the security of the mobile OS? This talk is about top anti-virus apps on Android. An in-depth look at how they work and what they do. The focus will be on the top 5 android apps: Kaspersky Mobile Antivirus Avast Mobile Security Norton Security & Antivirus Sophos Mobile Security Security Master This talk will try to answer the following questions: Do they add to or break the security of the Android sandbox system? What type of information is being shared back to the company (if any)? Are these apps well built? Finally, I will address the following: Do I recommend any of these apps and if so which one and why?

1. www.nviso.be
Mobile Anti-Virus Apps Exposed
A look at top anti-virus apps on Android.

2. Classification: Internal
STEPHANIE VANROELEN
I am a technical security consultant at NVISO.
My main area of focus is mobile applications. I also perform web
application-level penetration tests.
My background in Mobile and Web development allows me to
understand both problems and solutions from a developer’s point of
view.
I am actively involved in the security community and I try to share
my knowledge through trainings, presentations and conferences.
+32 (0) 494 03 84 72
svanroelen@nviso.be
www.linkedin.com/in/stephanievanroelen

3. Quick Intro
Mobile Anti-Virus Apps Exposed
This talk will take a look at several Android anti-virus apps. Do these
apps work as advertised? Is there more going on beneath the
surface?
Mission
Does a mobile anti-virus app provide more security for your phone?
Which one would I recommend?
Strategy
Taking a look underneath the hood of 4 of the top recommended
anti-virus apps.

4. “Which mobile anti-virus app would
you recommend?”

5. After short market research we came up with a top 5 of Android Anti-Virus
applications. These applications had to scan the device for infections.
This includes applications and files stored on the device.
5 Potential App Candidates

6. Actual detection of malware
Does the app actively detect malware on the system?
No hidden data sharing or
functionality
Does the app only do what it advertises or are there a
lot of hidden things being done.
Quarantine or removal of malware
or virus
Does the app help you remove the malware or provide
a way to clean the device?
Does the app provide an added
value?
Does this app actually improve the security of the
device?
Why Would I Recommend This App?

7. Research into the apps
A step by step approach

8. Research
Setup
Android Device
Rooted Nexus 5 with Android 6.0.1
Pineapple Nano
M-i-t-m Physical Device
Kali VM VirtualBox
Kali 2018.2 AMD 64-bit
Wireshark
A network packet capture software
Burpsuite
A M-i-t-m software solution

9. Starting assumptions
Before taking a look at the steps I took there are a number of prerequisites you have to keep in mind.
The steps have been taken and environments have been setup so that we can perform the steps explained a bit later in the presentation.
Rooted Phone
I first made sure that the Nexus 5
that I would be using for testing was
a clean install and that the device
was rooted.
01
Non isolated network
Both my laptop and my mobile
device were connected to the same
non-isolated WIFI network
02
Burp certificate is installed
on device
To be able to perform a m-i-t-m
attack on SSL/TLS traffic.
03

10. Install Anti-Virus apps on device
My First step was installing the 5 applications on
the Nexus 5 from the Google Play store.
Use the apps like a normal user
Use the applications like a normal user, scan the
device for viruses.
Pull app data + application
After we have used the apps like a normal user
we pull the data from these apps stored on the
device as well as the applications themselves
Step 1
Step 2
Step 3

11. Decompile and unzip applications
Once we have the different APK files we can
decompile and unzip them. Here we try and
determine how the apps work and what they do.
Network Traffic analysis
While using the applications we take a look at all
network traffic being made using the Pineapple
Nano and Wireshark as well as taking a more
specific look at the HTTP and HTTPS traffic by
using Burpsuite. Here we try to see what type of
information is being communicated.
Take a look at the logs
We pull the logs from the device and take a look
at what is being logged during the use of the
applications.
Step 4
Step 5
Step 6

12. Install malware on the device
Now that we have all data of the applications as
they run without malware present on the system
it is time to install the malware.
Repeat steps 2 - 5
After the malware is installed on the device we
once again use the phone like a normal user and
take a look what the apps do on the device.
Compare data and form conclusions
Now that we have initial states and after malware
states we can start comparing type of files kept
on the device, type of traffic being sent by the
malware apps, etc.
Step 7
Step 8
Step 9

13. Step 1Install Anti-Virus apps on device

14. 5 - 1 = 4
When starting the Sophos Mobile Security app, it
requested Superuser privileges. This was the only app
of the five that requested full access to our device.
As the purpose of our research was to determine if we
would recommend any of the top 5 anti-virus apps to
end-users we decided to exclude this app from our
research.

15. Step 2Use the apps like a normal user

16. 16www.websitename.com
Use the applications like a normal user on
a device without malware.

17. Step 3Pull app data + application

18. Large APK files and data folders
The average Android file APK file size is 15 MB.
MB
0
15
30
45
60
Avast Kaspersky Norton Security Master
APK size Data folder size

19. Step 4Take a look at the logs

20. The logs give us useful indications for what classes of the application that we have to take a closer look at and
what files on the device to take a closer look at.

21. /storage/emulated/0/Android/data/
com.kms.free/cache/
In this case the file is rather harmless but its a good indication of how the
logs can help you find useful data.

22. Step 5Network Traffic analysis

23. List of domains My IP adress is being
requested
Encrypted data is
being sent
WIFI data is being
shared tp Norton
Wireshark did not pan
out

24. Step 6Decompile and unzip applications

25. Code Obfuscation and a lot of permissions
All of the apps use code obfuscation on part of their code making it difficult to find out exactly what the
app is doing.
A lot of permissions
All of the applications ask for a lot of permissions
Number of permissions per app
Avast Kaspersky Norton Security Master
96
4246
64

26. Android.permission.GET_TASKS
Allows application to retrieve information about currently and
recently running tasks. May allow malicious applications to discover
private information about other applications.
Android.permission.CALL_PHONE
Allows the application to call phone numbers without your
intervention. Malicious applications may cause unexpected calls on
your phone bill. Note that this does not allow the application to call
emergency numbers.
Android.permission.REQUEST_INSTALL_
PACKAGES
Malicious applications can use this to try and trick users into
installing additional malicious packages.
Com.android.launcher.permission.WRITE_
SETTINGS
Allows an application to modify the system's settings data.
Malicious applications can corrupt your system's configuration.
Android.permission.AUTHENTICATE_ACC
OUNTS
Allows an application to use the account authenticator capabilities
of the Account Manager, including creating accounts as well as
obtaining and setting their passwords.
ANDROID.PERMISSION.MOUNT_FORM
AT_FILESYSTEMS
Allows the application to format removable storage.

27. Step 7Install malware on the device

28. BeNews Malware
https://blog.trendmicro.com/trendlabs-security-intelligence/fake-news-app-in-hacking-team-dump-
designed-to-bypass-google-play/
BeNews is a fake news application.
It is a backdoor application and is used to lure victims to download
malware onto their device.
This app exploits a local privilege escalation vulnerability in Android
Devices.

30. Step 8Repeat steps 2 - 5

31. Step 9Compare data and form conclusions

32. Not enough info
Right now I do not feel comfortable with recommending
a good anti-virus app, there are still too many things to
look into.
Why do the apps need all
those permission?
What exactly do the apps do?
What is the encrypted data
being shared?

33. Questions?

34. Contact Me
vanroelens@gmail.com
@nephastieke
https://www.linkedin.com/in/
stephanievanroelen

35. Thank You
www.nviso.be