Google’s own antivirus app fails to detect 70% of spyware

It’s a bad rating for Google Play Protect.

One of the earliest maxims about staying safe online is one of the best bits of advice: install anti-virus software to keep yourself secure. But the type of program you end up installing seems to matter enormously, according to new research that lays bare the issues with the world’s most widely-used Android antivirus program.

AtlasVPN analysed Android’s own internal Google Play Protect service, alongside a raft of other apps and services designed to keep you safe. The team tested each program’s ability to identify spyware of a specific strain – so-called “stalkerware” that enables a third party, often an abuser, to track and document everything that you do on your phone.Stalkerware is a veritable bounty for anyone who is able to successfully deploy it against a target, because of the range and level of detailed information it gathers about an individual. Pretty much anything you input to your phone, or hold on your phone – which includes everything nowadays from banking details to personal and private photographs, passwords, home addresses and social security numbers – can be gotten at by stalkerware and used against you for nefarious means.

Flunking the test

The work, which was carried out by website AV Test, ran each security application through its paces. Every single app was tested to see whether it could detect 29 separate threats that are most commonly posed by stalkerware. The threats are tracked by how the apps in question end up utilising the phone in ways that most others wouldn’t.

Antiy AVL, Bitdefender, Trend Micro, ESET and Kaspersky were among the strongest performers, picking up the majority of the secret tells that identify stalkerware and flagging it up as such to a user. 

Three of the apps – Antiy, Bitdefender and Trend Micro – managed to spot all 29 different threats correctly. 

This means that they would pick up any installation of stalkerware on a phone on which they were also running.

But the free, ubiquitous app offered by Google, the Play Protect service, only found 31% of the threats that could be a sign of stalkerware. “The results show that when it comes to virus protection, a well-known brand name isn’t always the best option,” says Edward Garb, a cybersecurity researcher at Atlas VPN. “The most widely used antivirus program fared the worst in this situation.

You get what you pay for

“Android users who rely on Google Play Protect to defend themselves against spyware should consider upgrading to one of the more powerful antivirus apps,” says Garb. Google has previously removed a range of suspicious apps from the Play Store for acting like stalkerware, most recently in October 2020. But its own app to try and spot these things was only able to pick up on nine of the 29 tells commonly found in stalkerware.

Even without a high-performing antivirus program such as those identified by the research, it’s still possible to intuit when you may have some suspicious software on your phone. 

For end users, keeping an eye on your battery life, data usage, and listening out for strange noises on phone calls is one way to discern whether you may be having your data and information hoovered up. Stalkerware tends to drain batteries and slow down other apps, while also increasing data usage as it sends home the secret information. Noise during phone calls could be a sign that someone is listening in.

For those with more of a technical bent, you can look through some of the options hidden within such apps to see whether or not they may be stalkerware. Stalkerware leaves traces of its existence in other apps, such as Google Chrome, where it enables the ability to install unknown apps or “Allow from this source” in order to be able to send its information back. And tellingly, even though the app is far from the best at highlighting when stalkerware has been installed, those behind nefarious apps often ensure that Play Protect is disabled – just in case it finds the app in question.