Back in early 2013, a new mobile antivirus (AV) company called Armor for Android emerged into the mobile security software industry that had everyone perplexed. It seemed eerily like malware known as a Fake AV, and some even gave it that label. As a younger mobile researcher, I was one of those who gave it such a label, adding it to a list of malware detections. Shortly after, Armor for Android contacted the security company I worked for at the time and demanded their detection be removed.
As a rebuttal, I wrote a blog to fire back with evidence that there was no way this AV company could be legitimate—despite it being on Google Play. I never published that blog because I was thrown off by something that had me questioning everything: the AV company was tested by a reputable antivirus testing company. Even more off-putting, it landed a high score to receive an official certification! How could a Fake AV be certified by a respectable AV test company?
I left the blog alone and let the subject die. But recently, Armor for Android appears to have made a comeback. Let's take a look at how they were gaming the system five years ago, and what new tricks they're up to now.
Cheating the systemSuddenly, Armor for Android was competing with everyone else in the industry after only a couple months. But how? Simple. They were cheating. I remember vividly that the naming conventions they used to detect malware were the same as other well-received anti-malware mobile scanners. To be fair, many in the industry use similar naming conventions. However, the ones used by Android for Armor were EXACTLY the same as other companies. It was obvious they were stealing other company’s detections. But how?
Share, but don’t stealVirusTotal is a company that everyone in the software security industry uses to share detections with the world. You can simply upload a file, even an Android APK, to virustotal.com and several antivirus/anti-malware scanners will return results. This can aid the typical user in finding out if a file is malicious. In addition, it helps point security researchers in the right direction in determining for themselves if something is malicious. What isn’t allowed is stealing directly from VirusTotal to produce your results. Not only is this against the terms of service, it is a deadly sin among everyone in the security industry.
But that is exactly what Android for Armor does. By using a network analyzer tool and running Android for Armor, you can see traffic to and from VirusTotal. The detailed data reveals that they indeed steal the detections of others. Pretty easy to do well on a test when you’re peeking over the shoulder of the smartest kids in class!
Showing their real intentionsAndroid for Armor could have stopped there. They had already duped Google Play. In addition, they clearly had the money to pay for an expensive test to receive certification. Instead, they decided to proceed with tactics used by other Fake AV malware. The following evidence is what I found years ago, but regrettably never published.
Back in 2013, I was playing a free game downloaded from Google Play. In exchange for the app being free, I agreed to receive non-aggressive ads, as many of us do. What I saw was a series of different links using scare tactics:
[gallery type="slideshow" size="medium" ids="23570,23571,23572"]
As a young mobile researcher, I did what all of us would have done and clicked on these links to see down which rabbit holes it would me. The first hop was this one:
Onward down the rabbit hole, I clicked Download & Scan FREE Now, and it started to download a file named Scan-For-Viruses-Now.apk (more on this app in a bit).
After the download, I landed on a known Armor for Android web page that instructs you to allow unknown sources and again to download and install an app.
Very odd for a legitimate AV company to instruct mobile users to download directly from their website rather than pointing them to Google Play.
Double chance of infectionFurther analyzing the downloaded app, Scan-For-Viruses-Now.apk, it's a version of Armor for Android that insists on a payment of $1.99 to scan the device. Check the fine print, because that ends up being $1.99 per week, or $103.48 a year. But hey, they have a certification by an AV testing form, right?
[gallery type="slideshow" size="medium" ids="23584,23585,23586,23587"]
It appears Scan-For-Viruses-Now.apk downloads just in case you weren't falling for the last web page asking to allow unknown sources and stating IMPORTANT! You must now INSTALL, OPEN and ACTIVATE. Also, if allowing unknown sources was disabled on your device, it would have been a last chance effort, since Scan-For-Viruses-Now.apk wouldn't have been able to download and install. In my opinion, none of this looks like the practices of a legitimate AV company.
Re-emergence of a classicJust a couple of days ago, an APK came into our mobile intelligence system with a different name, but very familiar set of behaviors. It was clearly a repackaged variant of Armor for Android, but this time called Android's Antivirus.
[gallery type="slideshow" size="medium" ids="23588,23589"]
Swiftly, we added a detection called PUP.Riskware.Armor.