WP7 AVG "antivirus" app is possibly spyware

Since the release of AVG’s antivirus security suite for Windows Phone 7, a lot of controversy has come about over the software and its functions. Former Microsoft employee Justin Angel took apart the WP7 application and reported back through his Twitter account that the AVG app is in fact spyware. He found that the application tracks users through the geo location API (GeoCoordinateWatcher) and sends back unique information, such as phone model, users’ email addresses and location, to the AVG servers.

http://t.co/6CosEdx - Unbelievable! WP7 "AVG Anti-virus" is actually spyware! It uses Geo Location to track users from app startup!less than a minute ago via web Favorite Retweet Reply

 

This use of the GeoCoordinateWatcher is specifically not allowed by the certificate guidelines, according to Angel. To make matters worse, well-known Windows hacker Rafael Rivera revealed that the application only scans for EICAR test strings and a specific Hebrew word through its supposed malware scanner. Meanwhile the application displays loads of advertisements.

WPCentral and Centurion’s Blog theorized that the suspicious use of location data could be used for several things: quality assurance, sending info to the more useful Android application, location based searches and marketing purposes – the last of which would be the most malicious. Microsoft’s Brandon Watson is investigating the issue following this controversy, while the app still remains available in the Marketplace.

The locked-down and sandboxed nature of Windows Phone 7 makes it difficult for malicious code to be executed and gain unwanted access to data, and as a result any anti-virus software can only perform limited tasks to search for and remove said code. At this stage the AVG Windows Phone antivirus suite looks extremely suspicious, provides little-to-no protection for the user, has a main purpose of serving ads and potentially uses location data for unwanted purposes

Report a problem with article
Previous Story

Images of updated Omnia 7 surface, may be coming to US

Next Story

Dead Island PC dev version included "Feminist Whore" skill

29 Comments

Commenting is disabled on this article.

SharpGreen said,

-1
Like Microsoft is any better.
Microsoft isn't primarily an advertising company. In other words, it's not their business to know everything about you.

SharpGreen said,

-1
Like Microsoft is any better.

I would argue they are. When MS collect data on you, it's not YOUR data, it's data on how you use THEIR product. The aggregate analysis is what Microsoft are after, they could care less about the content of your last sext message.

With google, I can't reliably say the same thing.

I don't know why anyone uses AVG any more. Between the bad updates they've released that have hosed Windows installs, the poor detection and performance, and now this..., I won't touch it. AVG is crapware.

TRC said,
I don't know why anyone uses AVG any more. Between the bad updates they've released that have hosed Windows installs, the poor detection and performance, and now this..., I won't touch it. AVG is crapware.

I don't know why anyone uses anything but Microsoft Security Essentials. I love the fact that it never bothers me at ALL unless it detects a virus. With all the old anti virus software I tried, they would want to let you know every time they updated the virus database, and they would nag for you to get the pro version or that a new version is out or other annoying crap.

MSE just sits silently and gets updated along with Windows. I love it. And it's totally free!

mrp04 said,

I don't know why anyone uses anything but Microsoft Security Essentials. I love the fact that it never bothers me at ALL unless it detects a virus. With all the old anti virus software I tried, they would want to let you know every time they updated the virus database, and they would nag for you to get the pro version or that a new version is out or other annoying crap.

MSE just sits silently and gets updated along with Windows. I love it. And it's totally free!

Totally agree- AVG, along with most other antivirus software, acts like you want to "talk" to it 24/7 and find out how hard it's been working.

MSE just works, and you don't have to worry at all- never slowed me down.

Only issue is that pirated Windows can't run it.

Tangmeister said,

Totally agree- AVG, along with most other antivirus software, acts like you want to "talk" to it 24/7 and find out how hard it's been working.

MSE just works, and you don't have to worry at all- never slowed me down.

Only issue is that pirated Windows can't run it.

Actually, it can.

I don't want to get into a fanboy flame war, but does the win7 platform have an app similar to what I use on my android device? LBE security, or a firewall?
You can have it tell you, and BLOCK any attempt to get your location, access the network, or give your IMEI number

naap51stang said,
I don't want to get into a fanboy flame war, but does the win7 platform have an app similar to what I use on my android device? LBE security, or a firewall?
You can have it tell you, and BLOCK any attempt to get your location, access the network, or give your IMEI number
No matter what your phone of choice, you shouldn't need an app the protect you from that. It's sad that so many shadey people work so hard to be shadey, get a real job with those skills!

You see, that's the different, android need virus scanner lol. Whereas WP doesn't need it because apps are sandboxed. So have fun with those scanners running in the background slowing down and draining your batteerry.

Android is the new windows XP, gidda virus scanner...puh lease

zeke009 said,
No matter what your phone of choice, you shouldn't need an app the protect you from that. It's sad that so many shadey people work so hard to be shadey, get a real job with those skills!
Didn't you hear? Jobs are no longer the big thing. Entrepreneurship is. LOL

flexkeyboard said,
You see, that's the different, android need virus scanner lol. Whereas WP doesn't need it because apps are sandboxed. So have fun with those scanners running in the background slowing down and draining your batteerry.

Android is the new windows XP, gidda virus scanner...puh lease

You have no idea what you're talking about.

flexkeyboard said,
You see, that's the different, android need virus scanner lol. Whereas WP doesn't need it because apps are sandboxed. So have fun with those scanners running in the background slowing down and draining your batteerry.

Android is the new windows XP, gidda virus scanner...puh lease

Actually you are wrong. All you need on Android (as with any computer like device) is common sense. Also in case you actually care (which is doubtful) Android apps are sandboxed as well. Each and every Android app runs under its own user, with access to only the data it produced. Access to other apps, is only allowed through previously defined interfaces implemented by both apps.

So while they're not sanboxed quite to the extent WP7 apps are, they still are.

The OS should have controls to restrict which data an app can access (eg: Location, Contacts, Phone Calls, SMS, etc.) so far all 3 major platforms fail on this. iOS lets you control location per-app (but not other personal info) and Android warns you what an app can do but doesn't give you any safeguards to control it.

Simon- said,
The OS should have controls to restrict which data an app can access (eg: Location, Contacts, Phone Calls, SMS, etc.) so far all 3 major platforms fail on this. iOS lets you control location per-app (but not other personal info) and Android warns you what an app can do but doesn't give you any safeguards to control it.

WP7 does require apps to get user permission to access location services and such...

Simon- said,
The OS should have controls to restrict which data an app can access (eg: Location, Contacts, Phone Calls, SMS, etc.) so far all 3 major platforms fail on this. iOS lets you control location per-app (but not other personal info) and Android warns you what an app can do but doesn't give you any safeguards to control it.

Windows Phone 7 shows a popup when you open an app that requests those things to confirm you want to let it use them. You also have to confirm every it wants to send an SMS, make a call or view your contacts.

M_Lyons10 said,

WP7 does require apps to get user permission to access location services and such...

Does the app ask the user, "Do you want the application to track whatever you do on the phone?"? No, it doesn't.

How many people would answer "Yes" to the above question? I hope, Zero, unless you are stupid.

You get a set of leading choices (Yes/No) when you get asked whether to permit an app to do something. That'll get you by in court, but, in real life, lawyer language is making people lose their privacy.

****, ask your mom, what the **** WPA2 is? Is WPA2 better than WPA or is WP7 (sic) better than WPA2? What is WEP? What is location services? Mom and Pop will amaze you with their knowledge about software and technology. They don't even know what they are saying "Yes" to.

The job of policing is with MS, Google, and Apple for their respective app stores. So far, only Apple has done a better (not best or godly) job of stopping malware. Application policing goes a long way to sustaining a lasting loyalty with your customers. Forcing developers to use specific APIs also makes things malware easier to detect and remove.

However, I do not like the way any of the apps in any of the app stores ask for user permission. It just isn't giving users the right information to make an informed decision.

Edited by Jebadiah, Sep 9 2011, 2:14am :

Jebadiah said,
Does the app ask the user, "Do you want the application to track whatever you do on the phone?"? No, it doesn't.

How many people would answer "Yes" to the above question? I hope, Zero, unless you are stupid.

You get a set of leading choices (Yes/No) when you get asked whether to permit an app to do something. That'll get you by in court, but, in real life, lawyer language is making people lose their privacy.

****, ask your mom, what the **** WPA2 is? Is WPA2 better than WPA or is WP7 (sic) better than WPA2? What is WEP? What is location services? Mom and Pop will amaze you with their knowledge about software and technology. They don't even know what they are saying "Yes" to.

The job of policing is with MS, Google, and Apple for their respective app stores. So far, only Apple has done a better (not best or godly) job of stopping malware. Application policing goes a long way to sustaining a lasting loyalty with your customers. Forcing developers to use specific APIs also makes things malware easier to detect and remove.

However, I do not like the way any of the apps in any of the app stores ask for user permission. It just isn't giving users the right information to make an informed decision.

I agree 100%. As the end user, we should be able to select which options we WANT to allow. There should be no "Yes you want to allow all" or "No you can't have the app". That's very poor software design if you ask me. The majority of the time a particular app does NOT need access to certain things. You should be able to install/run that app WITHOUT giving it permission to access said thing.

Example: There is no reason what-so-ever a newsreader would need access to make phone calls. If it's asking permission to do so, the author of that particular app is an idiot. Doesn't matter what OS we're talking about. iOS, Android, WP7, Blackberry....It should give you INDIVIDUAL permission settings for each app and you should have full control.

Simon- said,
The OS should have controls to restrict which data an app can access (eg: Location, Contacts, Phone Calls, SMS, etc.) so far all 3 major platforms fail on this. iOS lets you control location per-app

That's exactly what RIM has been offering on BlackBerry for a long time now. It's that kind of thing that pushes me to use their phones.

Jebadiah said,

ask your mom, what the **** WPA2 is? Is WPA2 better than WPA or is WP7 (sic) better than WPA2? What is WEP?

WindowsPhoneA2 - FTW, Tempted by the WindowsPhoneA as it will be cheaper... but its lower specs will let it down.

We will never see the Windows ePhone on the market as it will loose its trademark dispute with Apple.

Hum said,
As long as it doesn't affect real computers, who cares.

Windows 8 will be able to run WP7 apps- assuming they'll let you sync WP7 apps to the user's PC, this could be significant from your point of view as well!

you know what! i got a bill from my cell company and they KNOW all the calls i made, to whom i made them to, from where, AND FOR how long and at what time!!!!! SPYWARE!!!!!!!!!!! AGGGGHHHHHHHHHH

/sarcasm for the stupid.... get over your tin foil ways and realize privacy as you know it ended 20 years ago

rippleman said,
you know what! i got a bill from my cell company and they KNOW all the calls i made, to whom i made them to, from where, AND FOR how long and at what time!!!!! SPYWARE!!!!!!!!!!! AGGGGHHHHHHHHHH

/sarcasm for the stupid.... get over your tin foil ways and realize privacy as you know it ended 20 years ago

So, that would have no problem giving us your real name, birth date, bank account numbers, social security number, passwords, etc. Oh wait...

Jebadiah said,
So, that would have no problem giving us your real name, birth date, bank account numbers, social security number, passwords, etc. Oh wait...

i don't mind location at all...

@Jebadiah,
I personally sent Google all my information, in a mail. My Gmail account has been upgraded now. You have to do it every six months or so, to keep the upgrade.
You guys can do it too. Send pictures, info and your personal stuff at:

Googleplex
1600 Amphitheatre Parkway Mountain View, CA 94043