Does your mobile anti-virus app protect or infect you? Revealing the truth behind the DU Antivirus Security
September 2017 by Check Point
Check Point mobile threat researchers recently discovered a free mobile anti-virus app developed by the DU group, a developer of Android apps, which collects user data without the device owners’ consent. The app, called DU Antivirus Security, was distributed over Google Play, Google’s official app store, and downloaded between 10 and 50 million times, according to Google Play data.
According to Check Point’s research, when the app runs for the first time, the DU Antivirus Security app collects information from the device, such as unique identifiers, contact list, call logs, and potentially the location of the device. This information is then encrypted and sent to a remote server. The customer information is later used by another app offered by the DU group, called "Caller ID & Call Block - DU Caller," which provides users with information about incoming phone calls.
While users trusted DU Antivirus Security to protect private information, it did the exact opposite. It collected the personal information of its users without permission and used that private information for commercial purposes. Information about your personal calls, who you’re speaking with and for how long, was logged and later used.
Check Point reported the illegal use of the users’ private information to Google on August 21, 2017, and the app was removed from Google Play on August 24, 2017. A new version that doesn’t include the harmful code was uploaded to the Play store on August 28, 2017. Version number 3.1.5 of DU Antivirus Security is the latest version number found to include this privacy-leaking code, but older versions might still include it.
In addition to DU Antivirus Security, Check Point researchers detected the same code in 30 other apps, 12 of which were found on Google Play, and subsequently removed. These apps probably implemented the code as an external library, and transmitted the stolen data to the same remote server used by DU Caller. All in all, the illicit code affected between 24 and 89 million users who installed these apps, according to Google Play data.
Users who installed the DU Antivirus Security or any of the other apps should verify they are upgrading to the latest version that does not include this code.
Since anti-virus apps have a legitimate reason to request unusually extensive permissions, they are the perfect cover for fraudsters looking to abuse these permissions. In some cases, mobile anti-virus apps are even used as a decoy for delivering malware. Users should be aware of these suspicious anti-virus solutions, and use only mobile threat protection from reputable vendors that are proven to be capable of safeguarding mobile devices and the data stored in them.