Free Malware Neutralizes Nearly All Android Antivirus Software

One of the most annoying problems for hackers is dealing with those pesky antivirus programs. As much as you may malign them, these software programs still form the main line of defense against common malware attacks. If only hackers had a way to neutralize these programs, their work would be much easier.

Well, relief is here at last. Now, a free toolkit is available to neutralize nearly all Android antivirus software. Look at the list below. If your current antivirus software is listed, you could be the next victim of the AVPass toolkit.

avpass list

This list is from the free malware code. The attacker simply chooses the number associated with the antivirus software they need to neutralize.

According to the developer, “AVPass is meant to make sure whatever malware you’re sending cannot be screened by antivirus.” That’s fine, but how is this done?

Basically, the toolkit uses the fact that all AV programs have set detection rules. Once those rules are understood, they can be manipulated to make malware appear to be harmless. Why is Android targeted? Simply because 86% of the smartphone market is Android.

An Android operating system with its associated files is contained in something called an APK file. If you could tap into this file, you could alter some of its components before you installed it. This can be done with certain tools as is seen in the example for an app called APKtool shown below.


This tool is included in the AVPass toolkit because it is needed to rebuild files to the hacker’s specifications.

Through what is more or less a trial-and-error approach, AVPass detects the antivirus program being used and then tests its detection capabilities by incrementally altering elements of the selected malware’s code and testing these changes on malware detection sites such as VirusTotal. Eventually, it builds an idea of the AV’s detection rules and how to circumvent them. In the end, the attacker can install the malware package they want and know that it will not be detected.

Since the Android platform dominates all other smartphone platforms, it is the most obvious target for hackers. It is projected that over 3.5 million Android malware samples were detected in 2017, which amounts to almost 8,500 samples a day. That’s a lot of material for attackers to work with.

Antivirus firms aren’t simply going to allow AVPass a free pass. They are now building AVPass detection into their software. The developers of AVPass are researchers from Georgia Tech who actually want to help antivirus firms detect malware that attempts to bypass their algorithms. Some malware detection software has already been built to uncover malicious code trying to hide itself on a device. DeGuard is one example of software built for the “statistical deobfuscation of Android APKs”, although the researchers point out that it is not without its own problems.


In order for software similar to AVPass to be developed, the researchers have made the code open-sourced and posted it online for anyone to use. Is this a good idea? I’m not sure. The researchers put up a disclaimer saying that the code is only to be used for research, but, let’s face it, malware developers can use it to insert any malware onto any Android device they want.

And it doesn’t stop here. The same researchers are planning to use the same strategy on Google Verify Apps to see if it is possible to get malware infected apps placed in Google Play Store. This would allow attackers to put malware into seemingly valid apps. If this was used with AVPass, the malware would be downloaded and installed without detection; a hacker’s dream.

One more thing, the same researchers plan on developing a version of AVPass for Windows. In short, it looks like all operating systems will soon be vulnerable to such attacks. At the moment, 2018 is shaping up to be the best year for hackers and the worst year for normal users that we have ever seen. Happy New Year.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s