The Google Play “Super Antivirus” that’s not so super at all… [REPORT]

Remember fake anti-virus?

It was a big money-making gimmick used by cybercriminals a few years ago, aimed at regular computers and mobile devices alike.

The idea was staggeringly simple: run a free “scan” that pretended to whizz through your hard disk or phone storage, looking for those stubborn malware infections that your traditional anti-virus had missed.

What’s not to like about a free second opinion?

After all, Sophos offers just the same sort of thing, also free, for desktops, laptops and mobiles.

But the typical fake anti-virus had three huge differences from a genuine free product:

  1. It didn’t actually look for threats. It usually picked some filenames at random, and told you they were infected with some mysterious-sounding virus, using a threat name that did exist if you went and searched for it. The whole thing was a pack of lies, but lies that were told-and-sold with visual panache and unswerving confidence.
  2. When you clicked [Clean up], it suddenly wasn’t free any more. You had to pay to get a licence code to activate the cleanup module.
  3. If you paid, the “threats” magically disappeared. Nothing was cleaned up, of course, because the fake anti-virus wouldn’t have known what to do with a virus even if it could have detected it in the first place. All the product did was secretly activate a configuration option that put it into Fake Clean Bill Of Health mode.

For a while, fake anti-virus was surprisingly successful for the crooks, not least because many of the victims simply didn’t realise that they’d been fleeced: the price seemed about right, the product seemed to have done what it said, and so there was no obvious reason to complain to the credit card company for a refund.

Even teenaged beginners could get in on the game.

Back in 2014, for example, Google took $3.99 from tens of thousands of users for an app called Virus Shield, a fake anti-virus that was accepted into the Play Store even though it was so bogus that it didn’t even bother to show the filenames it was pretending to scan – it just ran a progress bar from left to right, and that was that.

A 17-year-old was behind that scam, and he nearly got away with it because Google’s official app refund policy only covered a 15-minute window after downloading the app, although reason prevailed in the end, and Google gave everyone their money back.

Fake anti-virus is back

Well, fake anti-virus is back – and back in the Google Play Store, at that – with an interesting twist.

This time, the app, Super Antivirus 2018, actually “detects” things – because it uses a built-in blocklist of other apps, it can at least claim to be reporting the presence of specific apps, even if those apps aren’t malware at all.

Also, Super Antivirus 2018 doesn’t do the “now you have to pay” trick; instead, it launches into aggressive advertising for an additional security app with a real mouthful of a name: Security Elite – Clean Virus, Antivirus, Booster.

If you grab that app, then you are bombarded with yet more ads, for an experience that won’t make you any more secure, but will almost certainly leave you hopping in annoyance.

SophosLabs research Rowland Yu has published a fascinating technical report digging into the details of how this not-so-super anti-virus charade unfolded, and what Sophos did about it – why not read it now? [PDF link, ungated.]