Top 5 Best Antivirus for Android of 2020
Updated: January 2020
The best antivirus for 2020. Antivirus, firewall, VPN, password manager and webcam protection.
- Protection 100% 100%
- Online Privacy 100% 100%
✓ Trusted by 50 million users around the world
✓ Protects Windows, Mac, Android, and iOS
✓ 60-days money-back guarantee
✓ VPN: Free and unlimited
Read our full Norton Review
Excellent protection at a low price. Antivirus, firewall, VPN, password manager and webcam protection.
- Protection 100% 100%
- Online Privacy 98% 98%
✓ Protects Windows, Mac, Android, and iOS
✓ 30-days money-back guarantee
✓ VPN: Free 200 mb per day
Read our full BitDefender Review
Excellent protection. Antivirus, firewall, VPN and a password manager.
- Protection 98% 98%
- Online Privacy 93% 93%
✓ Protects Windows, Mac, and Android (not iOS)
✓ 30-days money-back guarantee
✓ VPN: Free 150 mb per day
Read our full Panda Review
Very good protection. Antivirus, firewall and an optional VPN.
- Protection 95% 95%
- Online Privacy 83% 83%
✓ Protects Windows, Mac, and Android (not iOS)
✓ 30-days money-back guarantee
✓ VPN: Not included for free
Read our full BullGuard Review
Very good protection. Antivirus, firewall, an optional VPN and a password manager.
- Protection 93% 93%
- Online Privacy 85% 85%
✓ Protects Windows, Mac, Android, and iOS
✓ 30-days money-back guarantee
✓ VPN: Not included for free
Read our full McAfee Review
How We Test
Below we explain with factors go into the calculation of our editors’ rating, what each of these factors mean, and the data sources we use
How We Test
Buying the best antivirus software for Android is important.
So want to be as clear as possible about the method and data we use to determine the best software.
We analyze the antivirus tools for Android according to 6 factors. All of them matter, but not in equal amounts. Therefore, the impact each has on the final score varies. See the factors, and their impact, in the graph below:
- Protection from Malware 50% 50%
- Impact on Performance and Speed 15% 15%
- Devices and Features 10% 10%
- User Reviews 10% 10%
- Value for Money 10% 10%
- False Positives 5% 5%
The protection, impact and false positives data come from AV-Comparative and AV-Test. The two institutes are considered to have the best antivirus test facilities in the world.
The user review data comes from TrustPilot and the Google Play Store. TrustPilot specializes in the collection of verified user reviews from both consumers and business buyers, and the Google Play Store has one of the largest collection of software reviews in the world.
The value for money data is our own interpretation of the amount of value offered by the cybersecurity companies. We use the price, features, and protection level as data points, which come from the manufacturers.
The supported device’s data comes directly from the manufacturers and is the most straightforward of the factors.
Protection from Malware
Protection from malware makes up 50% of the total score
The core feature of cybersecurity products is protection from malware and other online threats.
Malware, which stands for malicious software, is a term that encompasses a wide range of digital threats. It includes the classic malware, such as adware, viruses, spyware, ransomware, and worms. But also the human-focused threats that not necessarily use specific software, such as phishing attacks, social engineering, spam, scams and cyberbullying.
Due to this wide range of threats the antivirus software must combat, the tools have grown increasingly sophisticated over the years. These days, the best antivirus software for Android use three different methods of keeping you safe, both online and offline.
Below we describe each of these in more detail.
Signature File Detection:
This is the classic form of antivirus protection and the reason why these programs are often called virus scanners. In this method, the antivirus programs scan systems, networks, and files for malicious code, called digital signatures.
These digital signatures are indicators, such as snippets of source code, that allow cybersecurity software to recognize malware. Much like a detective would use a fingerprint to recognize a criminal.
All these digital signatures are stored together in incredibly vast databases which contain hundreds of millions of malware samples. When a cybersecurity firm discovers a new type of malware, it uploads its digital signature to the database, allowing antivirus software to recognize it in the wild.
This method of detection is incredibly fast, scalable and reliable, but it is not perfect. The problem with this method is that it is always one step behind new attacks. After all, a new type of malware must first be discovered and uploaded to the database before the antivirus tools can recognize it.
This makes the software effectively blind against new threats. To combat this, the cybersecurity companies have evolved their methods of malware detection. Below we describe the next step in this evolutionary process.
Heuristic File Detection:
Heuristic file detection takes malware discovery to the next level. Rather than relying on a database of digital signatures, it is capable of discovering new malware threats that have never been seen before.
The key is to look for behavioral patterns instead of code snippets. Once a file is flagged as suspicious, the antivirus program uses one of two ways to continue its analysis:
File Emulation: During file emulation, also called “sandbox testing”, the antivirus software moves the suspicious file to a safe environment, often a virtual machine called the “sandbox”.
Here the file is studied for malicious behavioral patterns, such as rapid replication attempts and hiding or overwriting files. Whenever these behaviors are uncovered, the file is considered malware and will be eliminated.
Genetic Signature Detection: As the development of malware is a lot of hard work, its creators prefer to reuse the same malware as often as possible. To avoid signature-based detection, slight variations of the same malware are created.
The source code of these new variants, however, is often very similar to the original. And this is where genetic signature detection comes in. It analyzes the source of suspicious files and compares this with the source code of known malware samples in the database. When there is a significant overlap, the file is considered dangerous and will be eliminated.
User-Focused Protection Features:
As malware and anti-malware co-evolve, the creation of new and smarter malware becomes increasingly more difficult. It, therefore, makes sense that many cybercriminals direct their attention to a different strategy: Tricking users into handing over sensitive data.
Phishing scams, in which users are convinced to provide personal information to seemingly trustworthy sources such as their bank or PayPal, have become very common. Although these attacks do not fall under classical malware, they are still a big part of cybersecurity.
In order to protect you from these forms of cybercrime, the best antivirus software have developed a third weapon in their protection arsenal: A wide range of user-focused protection features.
Among these are:
Web advisors that flag websites you should not visit.
Wifi advisors recommend avoiding certain public WiFi without a VPN.
Password managers help in the generation and storing of highly secure and unique passwords.
Payment browsers automatically open when you visit your online bank and provide an additional layer of security.
Impact on Performance and Speed
Performance impact makes up 15% of the total score
This factor measures the slow down of a device due to the installation of antivirus software. Each antivirus program requires some resources to operate, impacting the operating speed. However, some use considerably more resources than others.
For the Android category, the testing facilities did not provide performance data. We, therefore, have not taken this factor into consideration to select the best antivirus for Android.
Devices and Features
Supported devices makes up 10% of the total score
In the Devices and Features category, we analyze the operating software which the antivirus support, and the features they offer for each. Frequently, antivirus software are fully equipped for Windows, but less so for Mac and Android.
A note on iOS:
All cybersecurity companies featured on SoftwareLab produce products for Windows, Mac, and Android. Not all do so for iOS, the operating software of iPhones and iPads.
While it is true that iOS is a safer operating system than the others, users are still at risk, even on iOS. This might not be because of the threat of malware, but rather due to risky behavior on the users’ part.
As people still use unsafe passwords, fall into phishing scams, visit insecure websites, and surf unencrypted wifi networks, most users could benefit from a cybersecurity product offering protection features for these instances.
User Reviews make up 10% of the total score
User reviews are an incredibly important resource in product research, as they reflect product quality, customer support, and the overall purchasing experience.
Over time, however, user reviews have turned into a powerful market tool, which is often abused by product manufacturers and comparison websites alike. Making it difficult to know which user reviews to trust.
To rely only on the most objective and trustworthy source of user reviews, we use the data provided by TrustPilot and the Google Play Store. These two websites are specialized in the collection of real reviews from verified users.
Value For Money
Value for Money makes up 10% of the total score
Malware can cause incredible harm, both emotionally and financially. Purchasing an antivirus product solely on the basis of its price is therefore not recommended.
That being said price does play an important role of course. Especially considering the fact that many of the antivirus software providers offer very similar products and protection.
To research this, we have analyzed the price, protection level and features offered by the various security providers.
False Positives makes up 5% of the total score
False positives are events in which antivirus tools flag a clean file as malware. It is nothing dramatic but can be annoying. When it comes to antivirus for Android, it seems that false positives are a thing of the past. All antivirus providers, except Avast, have scored a perfect score in this department.
AV-Test is a German cybersecurity research and test firm that has been active since 2003. It runs in-depth antivirus analysis for both consumer and corporate grade cybersecurity products. It has become a global brand known for accurate testing and credible results. We consult the findings of AV-Test for the protection and performance scores.
AV-Comparatives is the second, globally recognized, cybersecurity research and test firm. They have been active since 1999 and are known for their ability to create real-world simulations in which all aspects of the antivirus software can be tested. Like AV-Test, we consult the findings of AV-Comparatives for the protection and performance scores.
TrustPilot specializes in the collection of verified user reviews from consumers. It is one of the largest platforms of its kind, featuring over 45 million reviews covering 200.000 businesses worldwide.
The Google Play Store is the app store for Android, the most used mobile operating system in the world. The Google Play Store has one of the largest software review databases in the world.
Tech enthusiast and founder of SoftwareLab. He has degrees in Engineering and Business, and has been active in the analysis of software, electronics and digital services since 2013.
Frequently Asked Questions
Below we have summed up the most commonly asked questions surrounding the topic of cybersecurity and the best antivirus software for Android.
What Is Adware?
Adware is usually free software designed for one or two reasons. Legitimate reasons include product-sponsored advertisements, redirects to sponsored websites, and service trials. Adware used for malicious purposes falls under the category of spyware, as in it can track the user’s browsing preferences, collect and transmit sensitive data, and compromise their privacy and security.
Other terms used for adware are pitchware and freeware. Most adware software tends to be web-based and is often installed on the end-user’s device through pop-ups, links, or files and other programs that have adware software embedded in them. Not all adware operates covertly on a user’s device. However, specific anti-adware software is still required to remove such applications.
What Is Antivirus?
An antivirus or anti-virus software is a program that can search hard drives, external storage devices, and other external media for viruses, worms, and other types of malware. It’s a utility tool or suite of programs designed to detect, quarantine, remove, and prevent threats from making their way onto a computer or network of computers.
This type of software can either identify viruses by using a dictionary or database of sorts of known viruses. Antivirus software can also flag any type of suspicious behavior, which is why some cracked programs that tend to change various settings or files to operate in an unintended way often have files flagged as threats.
What Is a Botnet?
A botnet is an interconnected network of devices, each of which can carry one or more internet bots. Since those bots can be used to perform automated tasks such as launching DDoS attacks or SQL injection attacks, a botnet is often used for powerful disruptive attacks on databases, servers, networks, or even well-protected individual devices.
A common term for a botnet is zombie army. That’s because the devices used in botnet attacks are unwilling participants and mere hosts to internet bots that operate covertly. In most cases, users don’t even know that their computer is part of one such network. Botnets are often rented by their owners to whoever needs the superior computing power and a stealthy way of attacking a target.
What Is a Computer Exploit?
A computer exploit can be anything from a few lines of code to various malware programs that can take advantage of some vulnerability in an application, network connection, or even hardware components. Computer exploits are used for numbers of malicious actions such as stealing sensitive information, establishing backdoor access, stealing bank account details, corrupting data, etc.
Some computer exploits are discovered by security firms that hack their clients systems in order to discover and point out certain vulnerabilities. One of the most dangerous types of exploits is known as a zero-day exploit. It is virtually impossible to defend against because it uses newly discovered hardware and software vulnerabilities that haven’t yet been patched by developers.
What Is a Computer Virus?
Any self-replicating malicious code or program is classified as a computer virus. If it has the ability to copy its code into other programs or rewrite parts of code from other programs to suit its needs and propagate, it is referred to as a computer virus. Viruses have various subclasses, each with a clear definition based on its behavior and purpose.
Although computer viruses can enter systems via unprotected networks or by downloading files, attachments, and infected programs on the end-user device, a virus won’t start affecting the system until the corrupted file is opened. Most viruses can be detected, moved to quarantine, and removed before causing any harm when using up-to-date antivirus software.
What Is a Computer Worm?
Computer worms are a type of malicious software. They form a subcategory of viruses which can propagate without human help. This means that there is no need to open files or programs for the worm to copy itself multiple times and spread through a network.
Most often, computer worms enter through unprotected network connections. They can be used to slow down the performance of multiple devices. Another common use involves the delivery of a payload which can establish backdoor access into a system. This backdoor access leaves the system unprotected against other malware threats and allows hackers to remotely control the infected device or network.
What Is Computer Hacking?
Computer hacking can be used for both good and bad things. It gets its negative connotation because of its use in stealing information, money, corrupting data, and other actions that come as a result of unauthorized intrusion into a network of computers or individual devices.
When used for noble reasons, computer hacking is done either by freelance hackers, benevolent activists, or security companies in order to find vulnerabilities in programs and systems. Once found, patches can be developed and implemented to prevent future exploit attempts from being successful.
What Is Cybercrime?
Cybercrime or computer crime is a class of crimes that involve either targeting computers and networks or using them as tools to commit acts of crime, as defined by law. For example, phishing is a cybercrime as it is often used to illegally obtain sensitive information, login credentials, and even sensitive personal information.
Identity theft can also be a cybercrime when hacking or malware programs are used to obtain a person’s identifying information either for the hacker’s personal gain or sale to an interested party. Some classify cybercrimes depending on the target: either computer systems or device owners. There are, however, multiple subtypes of cybercrime, each with its own specific legislation and form of punishment.
What Is a DDoS Attack?
DDoS attacks or distributed denial-of-service attacks are most often web-based and target large corporations, enterprises, online marketplaces, and other similar businesses. They are designed to disrupt the normal operation flow by slowing it down. This happens when too much internet traffic is redirected at the target, effectively flooding the bandwidth and compromising the performance of software and hardware components.
DDoS attacks are usually carried out through a botnet. The larger the botnet, the more powerful the attack since more bots are able to generate more incoming data to the target. Advanced firewall protection is usually required to prevent DDoS attacks from causing damage.
What Is Identity Theft?
Identity theft is quickly becoming the bread and butter of most cybercriminals due to the sheer number of ways in which one can gain personal identifying information from someone over the internet. Anything that leads to the theft of identifying information that could be used to replicate an identity or create a new one is considered identity theft.
In cybercrime, there isn’t a specific designation for identity theft involving the use of computers or means of electronic communication. Identity theft is still also practiced via low-tech methods like dumpster diving, stealing documents, or physically listening in on confidential conversations. Phishing is often used for identity theft, particularly to steal login credentials and online banking information.
What Is a Keylogger?
Keyloggers are software or hardware devices that can monitor and record keystrokes on a keyboard. Some record keystrokes once a specific user has entered their account, while others record everything from the moment a device boots up. Most hardware keyloggers need a constant physical connection with the device in order to record information. Some may also be able to steal from devices without an internet connection if they have their own built-in Wi-Fi antenna.
While not always used for illegal activities, keyloggers usually imply something negative. Due to their ability to record such important actions and their design that allows them to operate covertly, they are used in creating backdoors, stealing confidential information, obtaining credit card information, and even as aids in identity theft.
What Is Malware?
Malware is a broad category of potentially harmful software designed to take advantage of various vulnerabilities in foreign systems and networks. It can refer to everything from computer worms and viruses to ransomware, spyware, and zero-day exploits.
Protection against malware is usually achieved by using an antivirus suite with multiple safeguards such as threat detection, spyware and adware removal, firewall, etc. Double-checking file attachments and suspicious links is also something to keep in mind when trying to avoid infecting a device with malware.
What Is Phishing?
Phishing is a type of social engineering technique in which the perpetrator either poses as a trustworthy entity or establishes trustworthy domains or email addresses for the purpose of stealing valuable information or getting people to download and open infected files on their devices.
This is one of those scams that can be easily avoided at times. Most antivirus programs might not be able to flag fake links or domain names. However, they should flag potentially infected files once downloaded onto a storage drive. The best protection against phishing remains exercising caution and understanding that very few legitimate entities will ever ask you to share personal information via email or social media, which makes any such request suspicious.
What Is Ransomware?
Ransomware is software that uses advanced encryption techniques to put a strangle hold on files, documents, and other data on the target device or a network or devices. Once the files are encrypted, they cannot be used again without the encryption key. This is where the “ransom” in ransomware comes in, as most attackers ask for a ransom in exchange for said key.
This type of software can be installed via backdoor access or by the victim after downloading and accessing infected files or programs. Ransomware is also sometimes used in blackmailing. In these scenarios, the perpetrators inform their victims that their personal files have been copied and are ready to be made public. The only way to avoid it is to pay the ransom, usually in untraceable digital currencies.
What Is a Rootkit?
A rootkit is one of the most dangerous types of malware that can affect a computer or network of computers. Some rootkits may be standalone programs that install a backdoor through which they grant hackers remote access to a system. Others are much more complex and act as malware suites capable of performing various actions on the target system.
Rootkit suites often contain Trojan worms, keyloggers, spyware, and viruses that can break into a system, leave a backdoor open, and corrupt, steal, or even erase data. Think of a rootkit as the exact opposite of an antivirus suite which provides total protection on multiple fronts.
What Is a Scam?
Scams are frauds that can be carried out both online and offline. Most online scams that are classified and tried under cybercrime laws involve stealing information or compromising the victim’s security. Scams can target individuals, groups, organizations, or even governments.
In computer security, scams often involve various social engineering techniques for the purpose of committing fraud (tax fraud, donation fraud, auction fraud, etc.), identity theft, or even obtaining information for use in targeted marketing campaigns. Scams aren’t to be confused with cons. Sometimes a scam is just a step in a larger con.
What Is Social Engineering?
Social engineering, when referred to in the context of computer security and cybercrime, involves any action that makes use of psychological manipulation techniques against individuals or groups of people. These actions often result in extorting, information, or gathering information for financial gain.
Another common use for social engineering is to gain an advantage over the competition by compromising data, stealing research, or modifying data to make the competitor look bad. Corporate espionage is also considered a technique of social engineering. Phishing is a popular choice for most cybercriminals who favor attacks based on social engineering principles.
What Is Spam?
Sending any type of electronic messages in bulk can be classified as spam, if said messages are unwanted and unsolicited by the recipient. Spam is not considered illegal unless certain aspects of social engineering are used for access to information. Most often, spam is used in marketing campaigns for services and products.
It is considered an economical way of advertising, even though most email service providers do a good job of filtering out spam emails. That being said, the term spam doesn’t only refer to email messages. It also refers to spam chat, instant messaging, blog posts, fake news updates, and other types of electronic messages that are delivered in bulk.
What Is Email, IP, or DNS Spoofing?
In short, spoofing is the action of disguising an email, IP, or DNS (domain name system) for the purpose of establishing credibility.
Unknown email sources are sometimes spoofed to appear as trustworthy email addresses from banks, internet service providers, or even law enforcement agencies. Such emails contain messages that attempt to trick people into sharing their identifying information, divulging their financial credentials, or sending money.
IP spoofing can also be used with malicious intent if the spoofed IP address allows access to restricted networks. Other times, it is used by VPN software to allow users access to restricted websites or to bypass georestrictions and access multimedia content they can’t access from their actual location.
DNS spoofing is also dangerous. It can be used to divert traffic from legitimate websites to fake websites that look good on paper but could be infested with viruses, spyware, adware, and other types of malware.
What Is Spyware?
Spyware is malware that can operate covertly on the target’s device. Its job is usually to monitor, record, and transmit information to a third party. That information could contain anything from keystrokes to browsing patterns and browsing history.
Often carrying a negative connotation, spyware is an offshoot of adware. As such, the term can refer to a number of programs such as keyloggers, tracking cookies, system monitors, or even Trojan viruses. Most often, spyware removal software needs to be used to completely eliminate spyware from infected systems. Regular antivirus programs may not work, but an antivirus suite with spyware removal capabilities should do the trick.
What Is an SQL Injection Attack?
SQL injection attacks are web-based attacks directed at user-input fields in a targeted database. Such attacks are used in an attempt to steal information like usernames and passwords. In poorly executed and managed websites, such SQL queries can bypass user-input fields and allow access to the information stored in the database.
As a result, information can be stolen, corrupted, modified, or even deleted. These types of attacks are often carried out against online vendors. That’s because forms such as login forms, feedback forms, shopping cart forbs, and request forms are theoretically vulnerable to SQL injection attacks. These attacks are highly popular against both ill-protected and well-protected databases. However, only the latter manage to avoid any serious damage.
What Is a Trojan Horse?
Adequately named after an ancient infiltration tactic used in warfare, a Trojan horse is known in computer security as an apparently benign piece of software that can do a lot of damage to a system, establish remote access, or steal sensitive information once activated. It is a type of malware that falls under the computer virus category.
Unlike other computer viruses, a Trojan virus isn’t designed with self-replicating capabilities. It is instead spread through various social engineering techniques. However, it is still a dangerous type of malware, even without the ability to spread itself onto other systems in a network. That’s because it has the ability to grant unauthorized access or download other viruses with self-replicating properties.
What Is a Zero-Day Exploit?
A zero-day exploit can be considered the holy grail of any hacker with a criminal agenda. Zero-day exploits refer to those computer exploits (both hardware and software-based) that allow criminals to take advantage of undiscovered, unpublicized, or as of yet unresolved vulnerabilities. If the person using the exploit is the only one that knows about the vulnerability, then it is called a zero-day exploit.
Though very few choose to share these exploits for fear of losing their advantage, some exploits eventually get publicized. Once they become common knowledge, the rush to write a patch for the vulnerability begins. The exploit is also no longer called a zero-day exploit but becomes an N-day exploit. The N in the name stands for the number of days since the exploit has been made public knowledge.
Below you can find all the sources we have used in our analysis
Disclaimer: SoftwareLab.org is not an antivirus, VPN or hosting service provider and does not endorse the use of the products featured on this website for unlawful means. It is the responsibility of the user to adhere to all applicable laws. We have no control over the third-party websites we link to and they are governed by their own terms and conditions. SoftwareLab.org is supported by advertisement in order to be a free-to-use resource. We strive to keep the information accurate and up-to-date, but cannot guarantee that it is always the case.