Free antivirus apps requesting huge amounts of dangerous permissions they don’t need

Security Master, Virus Cleaner, Antivirus, Cleaner (MAX Security), and Clean Master are three free antivirus apps you can find on Google Play. But that’s not the only thing they have in common: these apps are also amazingly popular and potentially dangerous.

That’s because they’re asking users to give them a lot of dangerous permissions that they don’t seem to need. Permissions like knowing where you are at all times, being able to use your camera, and even using your phone without your knowledge.

These apps have been downloaded more than 2 billion times by users all around the world, users putting themselves and all the precious data on their phones at risk. For example, by giving Virus Cleaner permission to upload files to your system, you could be allowing it to add more malware to your device [pdf] that you’ll have to pay to remove. Security Master and Clean Master will launch apps automatically if you give them the right permissions.

Even though these apps have been found guilty of these malicious activities in the past, they’re still available on Google Play and amassing millions of installs every month.

Because Google has taken no action against them, we recommend users always ask the following questions before installing any app:

• Do I really need an antivirus app? For the most part, the answer is no – unless you’re installing unofficial apps or not updating your other apps or phone.
• Is this app from a reputable developer? If it isn’t, you might want to choose one from a well-known brand.
• Does this app really need these dangerous permissions? Usually they don’t. But sometimes, by denying certain permissions, the entire app may not work. At that point, you’d have to consider getting a different antivirus app.

Update: Google’s new App Defense Alliance

After our research was published and discussed in multiple outlets including Forbes, the Daily Express and the Mirror, Google admitted to having a problem blocking apps that contain malware. In order to prevent malware-ridden apps from sneaking into the Play store, Google has established the App Defense Alliance in partnership with ESET, Lookout and Zimperium.

These three antivirus firms have extensive experience in researching and identifying malware, and will hopefully help Google keep dangerous apps away from billions of users worldwide.

About this research

In this research, we looked at the 15 most popular free antivirus apps (all in the top 30 antivirus apps) on the Google Play store to see what kind of permissions they’re requesting. These apps have been downloaded more than 2 billion times – and requesting more dangerous permissions than they apparently need.

Standard permissions, such as using Bluetooth or the internet, are labeled as normal permissions by Google and given by default.

However, permissions that can affect a user’s privacy or affect the device’s normal operation are labeled as dangerous permissions and the user must explicitly agree to these permissions when they use the app. Dangerous permissions include using the microphone, camera, making calls, reading and writing files, and much more.

The problem here is that many apps are requesting more dangerous permissions than they actually need to operate.

Key takeaways

• 12 of the 15 free antivirus apps are based in China or Hong Kong
• Developer Cheetah Mobile, with 2 free antivirus apps, is known for ad fraud
• 2 apps were identified as spyware or malware by the Indian government
• 1 app has been identified as rogueware [pdf]
• Apps request 1-10 dangerous permissions, with an average of 6 per app
• Unnecessary dangerous permissions include the ability to make calls, take pictures, and record audio

What’s also interesting to note is that three separate developers – ONE App Ltd, Hyper Speed, and Smooth Apps Studio – share the same Hong Kong address. These developers’ apps (four in total) have now been removed from the Play store.

In order to carry out this analysis, these apps were downloaded directly from the Google Play store. The APK files were then extracted from those apps, and the permissions were taken from those APKs.

App groupings for “dangerous permissions” were obtained from the Android developer manifest. Rankings were taken from the initial research in July 2019.

Most common antivirus app dangerous permission requests

In our research, we analyzed the permissions (and levels of those permissions) requested by the 15 free antivirus apps found in the top 30 results for “antivirus”. Note: the initial count was 16, but one antivirus app was removed from the Play store before we could analyze it.

When looking at the total amount of permissions requested by these apps, we identified certain permissions as dangerous based on the Android developer’s manifest.

Table 1. Most common dangerous app permissions

As can be seen from the table, the ability to write to external storage is requested by every single app, while the ability to record audio is only requested by one – Security Master, the #1 free antivirus app on the Play store.

We’ll go over these dangerous app permissions in depth further below.

Why do these apps want these dangerous permissions?

For the most part, the answer is pretty simple: money.

While we can be very suspicious of apps from restrictive and surveillance-hungry countries like China, the simple truth is that data is a very, very big business. It’s expected to reach $274 billion by 2022.

Location-sharing data in exchange for money

When it comes to apps, the most profitable data comes from dangerous permissions that were requested by 9 out of the 15 antivirus apps analyzed here: location, location, location.

Specifically, we’re talking about ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION, which uses GPS coordinates, cell data, and/or wifi to reveal users’ locations. With these permissions, they’re able to pinpoint users to within a few meters.

According to a New York Times report, mobile apps can send user location data every 2 seconds, and in some cases, more than 14,000 times per day to various companies. These marketing companies “sell, use or analyze the data to cater to advertisers, retail outlets and even hedge funds seeking insights into consumer behavior.”

How it works is that a marketing company will offer mobile app developers money if they add a few lines of code, or SDK, into their apps. The SDK gathers up all the data the app can access, and the developers get a nice monthly check in return.

A BuzzFeed News investigation showed how one marketing company – a Paris-based data broker called Teemo – emailed app developers to get access to their data:

This is a lot of money. For example, Security Master has 500 million installs. According to SimilarWeb, the app has roughly 1.76 million active monthly users in the US alone. At $4 for 1000 users, that equals $7,040/month. From one country, for one data broker.

If they work with 3 data brokers, that could be $21,000 from the US alone. If they work with 5, that is more than $35,000/month.

Another app broker, Epom Apps, also has a similar payment structure to Teemo:

Here we added Security Master’s 1.76 million US monthly active users, and estimated a daily active user amount of 1 million. The monthly revenue is similar: $7,056/month. However, another important aspect is what’s written below their revenue calculator: With more permissions included (i.e. Fine Location, Bluetooth) your earnings will grow.

It’s simple then: The more data you can get, meaning more dangerous permissions per user, the more money you’ll earn each month.

For users, this presents a big privacy threat. While apps are eager to state that all this tracking data is “anonymous,” research has shown that there is no such thing as anonymous data. In fact, one study showed that with only 4 time-and-place data points, they could uniquely identify 95% of the individuals in their study.

Data for malicious and illegal purposes

But there may also be illegal or blackhat reasons for apps to use data gained from these dangerous permissions. For example, research showed how one weather app not only sent user data to servers in China (from all permissions, including READ_EXTERNAL_STORAGE). It also secretly launched web browsers to click on website ads, and attempted to subscribe users to premium phone numbers (costing users lots of money every month).

Other apps have been discovered to make malicious phone calls (using the CALL_PHONE permission), as well as to scrape, encrypt and send all data to a remote site or send phishing emails.

In total, the amount of malicious or lucrative things that can be done with user data is staggering, and often only limited by fraudsters’ or marketing companies’ creativity.

Dangerous app permissions by antivirus app

Not all of these free antivirus apps are asking for as much as they can. For example, Latvia-based Tap Technology SIA, which develops the app Antivirus Mobile – Cleaner, Phone Virus Scanner only asks for the ability to write external storage.

However, some apps ask for as many as 10 dangerous permissions. You can see the worst offenders in the table below.

Table 2. Dangerous app permissions by antivirus app

Note that these 6 worst offenders have a total of 1.66 billion downloads already in the Google Play store.

Dangerous permissions explained

Out of the 30 dangerous permissions listed by Google, these 15 antivirus apps asked for 11. Let’s look at them in detail. We’ll also note the risk of danger to your privacy and security, with high presenting the most risk.

  RECORD AUDIO

• RISK: HIGH
• 1/15 apps requested

With this permission, the antivirus app can record audio, and allows them use of the device’s microphone.

This permission is only requested by Security Master – Antivirus, VPN, AppLock, Booster, a top 5 app for “antivirus” in Google Play.

• RISK: HIGH
• 6/15 apps requested

This allows any app to make a phone call directly from the app, without using the Dialer interface or requiring the user to confirm the call.

• RISK: HIGH
• 11/15 apps requested

This allows the antivirus app access to use your device’s camera.

• RISK: HIGH
• 9/15 apps requested

This permission allows the app to determine your precise location, by using GPS, mobile cell data, wifi, or all three in combination.

• RISK: MEDIUM
• 7/15 apps requested

This allows the antivirus app to look through your contacts data.

  WRITE CONTACTS

• RISK: MEDIUM
• 2/15 apps requested

This allows the app to make changes to your contacts data.

This permission is requested by: Security Master – Antivirus, VPN, AppLock, Booster and 360 Security – Free Antivirus, Booster, Cleaner.

• RISK: MEDIUM
• 14/15 apps requested

This permission allows the app to read or view files on your external storage. This is also a logical permission for an antivirus app to have, although not all apps require it. On the other hand, the app can also access other user files, third-party app logs, or system logs.

This permission is requested by all apps, except for Antivirus Mobile – Cleaner, Phone Virus Scanner by developer Tap Technology SIA.

• RISK: MEDIUM
• 12/15 apps requested

This allows antivirus apps the ability to have read only access to your phone state. That means they’ll be able to see your phone number, status of ongoing calls, and cellular network information.

• RISK: MEDIUM
• 10/15 apps requested

This permission allows an app access to the list of accounts in the Accounts Service.

• RISK: MEDIUM
• 9/15 apps requested

This allows the antivirus app to determine the device’s location by using mobile cell data, wifi, or both in combination.

• RISK: LOW
• 15/15 apps requested

This allows the antivirus app to write or update your external storage. Out of all the dangerous permissions, this one is the most logical for an antivirus app to have.

This permission is requested by all apps on our list. (You can view the full list of apps below.)

Malicious apps in the Play store

While most of these apps are suspicious to say the least by the amount of unnecessary dangerous permissions they’re requesting, some of them have actually been identified as malicious.

It is surprising that Google Play still allows these apps to be listed in their search results, gaining more than a billion downloads.

Cheetah Mobile’s ad fraud

First there’s Cheetah Mobile (AppLock & AntiVirus) which develops two apps in our analysis: Security Master – Antivirus, VPN, AppLock, Booster and Clean Master – Antivirus, Applock & Cleaner. Together, those two apps have 1.5 billion installs on the Google Play store.

Cheetah Mobile, and specifically these two apps, were identified in research by app analytics company Kochava for engaging in ad fraud, click flooding and click injection.

According to BuzzFeed News, Cheetah Mobile “tracked when users downloaded new apps and used this data to inappropriately claim credit for having caused the download.”

CTO Praneet Sharma of Method Media Intelligence stated the following:

“The fact that you have such high-permissions apps, you’ve got apps from companies that are based in China and they collect so much information. They are logging everything, so … from a privacy standpoint they are violating a lot of things.”

India bans Hi Security’s Virus Cleaner

At the end of 2017, India’s intelligence agencies warned the country’s army and paramilitary against using 42 mobile applications identified as spyware or malware. Included in the ban is developer Hi Security’s Virus Cleaner 2019 – Antivirus, Cleaner & Booster, a popular free antivirus app with more than 50 million installs on Google Play. It is owned by Shenzhen HAWK, which in turn is owned by the major TCL Corporation.

Also in that ban list is Cheetah Mobile’s Clean Master – Antivirus, Applock & Cleaner.

Virus Cleaner is identified as rogueware

An analysis [pdf] by the British security software and hardware company Sophos found that the Virus Cleaner, Antivirus, Cleaner (MAX Security) app is actually rogueware. Sophos describes rogueware as programs that “pretend to detect and fix problems on your computer and tries to convince you to pay money/add more malware.”

Minimum permissions needed to function

When looking at these dangerous permissions requests, we can identify only two dangerous permissions that an antivirus app needs to function:

READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE

These allow antivirus apps the ability to check users’ storage and remove unwanted files. This is pretty logical for an antivirus app.

In fact, only one app, Antivirus Mobile – Cleaner, Phone Virus Scanner by the Latvian developer Tap Technology SIA requested just the WRITE_EXTERNAL_STORAGE permission. But still, the app functions exceedingly well.

Other permissions, such as CAMERA, RECORD_AUDIO and CALL_PHONE don’t seem to be necessary for an antivirus app.

Summary

In general, antivirus apps requesting a large amount of dangerous permissions can seem quite suspicious, and we recommend caution.

That’s especially true since some of these apps have been identified as potentially malicious. In general, when selecting an antivirus app for your phone, consider these questions first:

• Do I really need an antivirus app? For the most part, the answer is no – unless you’re installing unofficial apps or not updating your other apps or phone.
• Is this app from a reputable developer? If it isn’t, you might want to choose a well-known brand.
• Does this app really need these dangerous permissions? For the most part, by denying certain permissions, the entire app may not work. At that point, you’d have to consider getting a different antivirus app.

In any case before using any third party app think about your online privacy and use a VPN to protect yourself. Here is the list of trusted VPN providers for you. Try VPN trail option for free.

Listings of VPN for movie watching:

• VPN for Popcorn time
• VPN for Kodi

Free VPN options:

• Free VPN for Windows
• Free VPN for Chrome
• Free VPN for Kodi
• Free VPN for Netflix
• Free VPN for Popcorn time

Check out our other research:

• How to beat Google Play’s algorithm and get 280 million installs
• Hidden VPN owners unveiled: 99 VPN products run by just 23 companies
• Study: how the world’s top websites track your online behavior
• Who is dominating the rising VPN market in 2019? Here are the numbers
• VPN confidential: how private is your VPN purchase?

Table 3. Full table of free antivirus apps and their requested dangerous permissions

Disclaimer:

We meticulously research our stories and endeavor to present an accurate picture for our readers.  We’re also human, and if you believe we have made a factual error (as opposed to disagreeing with an opinion), please contact us so that we may investigate and either correct or confirm the facts. Please reach out to us using our Contact Us page.