(In-)security of smartphone anti-virus and security apps

Android is by far the most popular operating system for smartphones today. Many people entrust their Android-based phone with highly sensitive data such as business documents and credit card information, or perform critical tasks such as online banking on their devices. To protect their devices against threats from malware or attackers who aim to exploit security vulnerabilities, many users rely on anti-virus and security apps available from renowned vendors. In this paper, we show that those apps contain severe vulnerabilities on their own, and that installing them can even decrease the overall security of the device. We analysed the most frequently downloaded security apps and found that they were vulnerable to remote code execution and malware database downgrades. Some anti-virus scanners could be disabled remotely without the user noticing, or devices could be locked and wiped remotely without proper authentication. We show that, when it comes to the security of their own code, security apps are no better than regular apps.