Third-party security apps are an integral part of the Android app ecosystem. Many users install them as an extra layer of protection for their devices. By installing security apps, the smartphone users place a significant amount of trust on them allowing access to many smartphone resources that contain personal information such as the storage, text messages, email, and browser history. As such, it is essential to understand the mobile security apps ecosystem. In this paper, we present the first empirical study of Android security apps. We analyse 100 Android security apps from multiple aspects and offer insights to their operations and behaviours. Our results show that 20% of the security apps resell the data they collect to third parties; in some cases, even without the user consent. Also, we show that around 50% of the security apps fail to identify known malware.