Difference between free version and paid version of Bitdefender Mobile Security for Android

Hello there,

As stated by others in this thread, we indeed do not scan the system apps, but we do scan any updates that might occur for system apps (since those can be uninstalled). Also, I previously answered this question in another discussion: https://community.bitdefender.com/en/discussion/comment/333556#Comment_333556

I guess that other vendors might have different points of view about scanning the system apps, but personally I think all that would do is increase the time it takes for a full scan to complete.

Regarding root access, we strongly recommend that you keep your device stock unless you are very tech savvy and are very well aware of all consequences. Even if you're highly skilled, you still expose yourself to a lot of threats by using a device with root access. @Flexx asked whether it would make sense for us to scan internal system files of rooted device and I believe it wouldn't be worth the effort invested into the research and implementation of such feature, neither for us nor for our clients. I have two simple arguments to back this up:

• Root access opens the gate for highly sophisticated threats which could simply uninstall any and all anti-malware solutions on the device before they even get to scan it or alert the user
• The internal structure of the OS can greatly differ from one custom ROM to another and any system file can be modified at the users will. Those of you who experimented with such things know that there are a lot of mods that one can do to a rooted device, some of which are pretty unorthodox but are well intended. This means there would be a very fine line between what's malicious and what is not.

Hope this answer helps, I'm glad to help you guys with any other follow up questions!

Yes, it is harder for a ransomware to encrypt user data on a stock device but it's not impossible. I haven't seen Android malware that is specifically targeting rooted devices only, but some do use root if it's available. The logic is usually something like "if the device is rooted then escalate privileges and drop all bombs, otherwise do what you can". Also, generic malware is made with the average user in mind, while a rooted device usually indicates a power user. Since power users are harder to trick and they make up a small percentage of all users, it's not very profitable for threat authors to specifically target them. Anyways, my point is that a ransomware app would be detected by BMS regardless of the OS integrity.

As for the modded apps, those with the "TestKey" detection are signed with publicly available or leaked certificates. That is usually not a good sign and could (hence the "Riskware" and not "Trojan" detection) indicate that the author attempted to hide their identity in an attempt to evade detection. If such an app is not detected with "TestKey" then it means that whoever repacked the app played it fair and used their own certificate.

Edit: I forgot to link to my other more detailed comment on the matter of TestKey detection https://community.bitdefender.com/en/discussion/comment/335893/#Comment_335893

What I meant is that the verdict is given by a rule which matches the APK file. No runtime information is taken into consideration.