Last week I received a question from a reader that surprised me. In effect, he asked why antivirus programs couldn't take advantage of their trusted status to steal personal data and generally spy on you. My immediate gut reaction was: No way! But in order to answer him I really had to think it through.
This reader’s thoughts were as follows: "If I were a real criminal and had financial resources of something like a foreign enemy to fund me, I could hire the best talent and build a good AV program that is free and actually works. Since I am scanning your machine and all your document files, couldn't I encrypt a few of your personal files and send them home to my server? Can I not get through your firewall because I have a legit need to call home so to speak to check for updates?"
Well, yes and no.
Rogue antivirus programs do exist, and these days they look as good as or better than the real thing. We also call them “scareware” because they always pretend to find alarming malware infestations. The scan is free, but naturally you have to pay if you want them to "remove" what they "found." Now the bad guys have your money and your credit card number.
Scareware is big business. Some of these frauds actually have tech support and customer service hotlines. One of my contacts in the antivirus industry told me about a customer who was furious when the legitimate antivirus program quarantined the rogue. "That was my antivirus," ranted the customer, "I paid for it!"
The one difference between these products and the reader's doomsday scenario, and it's a big difference, is that they don't actually work. They generally scan much faster than legitimate programs, because they're not actually doing anything. In addition, the free-scan paid-clean-up model is a bit of a giveaway, as very few legitimate programs follow that model.
Scareware programs exist specifically to make money. A working antivirus program that incorporates malicious features would be quite another thing. Fortunately, getting away with something like that would be really, really tough.
Independent antivirus testing labs like Dennis Technology Labs, AV-Comparatives, AV-Test, and others put antivirus programs under serious scrutiny. Their aim is to measure how well these products protect against malware, but many of the tests would also catch betrayal from within.
Here's an example. One sign of a bot infestation is suspicious traffic between the bot and its command-and-control server, so you can bet antivirus researchers are watching network traffic closely. A traitorous antivirus program would trigger the same kind of alarms.
In most cases, getting an antivirus program tested and certified costs the vendor money. That being the case, some vendors of free antivirus solutions don't participate. However, quite a few do. If you're truly worried, pick a free solution from a company that does participate in testing. For example, there’s AVG, Avast, Bitdefender Free, and a number of gratis lab-vetted solutions out there.
Doesn't make financial sense
Most vendors offer a range of security products, with free antivirus at the bottom of the range. They profit when any free user upgrades to commercial antivirus, or to a security suite, or purchases some other type of security product. Wide distribution of free antivirus gives the company a built-in customer base for paid products, and ensures that the company name is widely known. Throwing all this away in order to create some kind of spy program would be nuts.
That said, it's still faintly conceivable that a nation-state could secretly create some kind of antivirus-spy program, since the aim is not to make money but to steal data. You might think twice before installing a brand new antivirus from an iffy region like North Korea, for example.
I wouldn't worry at all about installing a well-known free antivirus, especially one that's part of bigger product line. It's even better if the vendor has been around for years – Avast Software just celebrated 25 years in business. You're a lot more likely to suffer from the fallout of a data breach than to encounter an antivirus that's turned to the dark side.