Integrity issue

[IzzySoft]

Just to let you know that 4 scanners on VirusTotal report warnings for your APK. I usually ignore "PUPs" (potentially unwanted parts), but in this case one is even reporting Spyware. Not accusing you (some count ads and analysis trackers as spyware, and I can understand that) – just letting you know. Any idea what that might be?

[ViWu]

Hi there! Thanks for reaching out and bringing the issue to my attention. I'm not sure what's causing it since the only files I edit are the java and xml files in the project, which should all be visible in my commit log. In my manifest file, I only request two permissions which are android.permission.VIBRATE and android.permission.WAKE_LOCK. The only other possibility I can think of is that how the app works, is that it stores the data internally on the device. So the files containing that data are constantly being opened, created, read, written, and modified. In my Main Activity class, I have two methods called fileRead() and fileWrite() which use a BufferedWriter and FileInputStream respectively, which I think is the most likely possibility. The rest of the file methods are in the main menu class. Hope that helps and if there's any other questions or suggestions, let me know. Thanks!

[IzzySoft]

Thanks for your fast response! I was as confused as you are – especially as (other than you just wrote) that version doesn't request a single permission, according to aapt d badging (strange, as the Manifest in the repo explicitly states the two you've named – how can that be? Looks like a bug in aapt, as even the VT page shows them). But even with those two, I don't see how it could "spy".

I'm not an Android dev, so I don't have any closer ideas. I've decompiled it using apktool, and the only suspicious thing I could identify is that insta-run.zip (containing a bunch of .dex files).

I don't know what you use for development. I remember from a similar case that it was caused by some library/module in use by AndroidStudio, and a recompile after an update of that produced a "clean APK".

Sorry that I cannot help further – but I thought you should at least get to know in a "decent way" (hence the carefully chosen title :smile_cat: ). I've just left a comment on that VT scan (pointing here) and scheduled a rescan (might take a while until that's through) which hopefully clears up at least the "dangerous looking ones". As indicated, I don't give much on WhiteArmor's PUP (they throw around with alerts far too easy to be taken seriously IMHO) – but 4 warnings should not be taken to lightly.

May I suggest to check whether there're any updates to your DevSuite (AndroidStudio or whatever you use) and if so, apply them – then compile the APK again and have VT check it to compare? If they give an "all clear", you could simply replace the current file then (unless it could represent a new release, even a minor one as e.g. 2.0.1).

OK, now the rescan is through. Bad news, one more hit: TrendMicro now also reports it suspicious :scream_cat:

[ViWu]

Thanks for the feedback! May I ask you how are you getting my APK (The one that you scanned)? Did you clone the project and run it in an IDE to generate it? If so, which environment did you use (I use Android Studio)? I ran the scan via VT on app-debug-unaligned.apk under the ouputs folder of the project, which is the same APK file I submitted to Amazon on multiple occasions for release and it has passed Amazon's validation processes every time, which includes scanning for spyware. Results for the VT scan are here.

Also, do you remember the name of the library/module that caused the similar case? That might help. As for your rescan, I'm not sure why it found an additional hit, assuming you're scanning the same file.

If the cause isn't in the source code, my guess without knowing anything else is that it could be a false positive detection, due to limitations/differences in the antivirus programs, which is not all that uncommon. Hopefully that helps and let me know if there's any other questions. Thanks!

[IzzySoft]

May I ask you how are you getting my APK (The one that you scanned)?

Sure: I downloaded it from releases/. Btw, I told you about that "ominous blob" (instant-run.zip) contained in the APK? That seems responsible for at least one hit. So maybe you could check where that came from, and how it's integrated? Could be that is at least triggering something, as the report shows.

do you remember the name of the library/module that caused the similar case?

Unfortunately not, sorry – that was quite a while ago. Did the same back then as now, reporting it to the dev via an issue here at Github. But it seems in that case I used an already existing issue, as I cannot find it among the ones I've opened. And unfortunately, I couldn't figure how to search for issues one just participated (only created, assigned, mentioned)…

As for your rescan, I'm not sure why it found an additional hit, assuming you're scanning the same file.

Updated signature on the scanner? Or that TrendMicro was just added (I didn't check that)?

If the cause isn't in the source code, my guess without knowing anything else is that it could be a false positive detection, due to limitations/differences in the antivirus programs, which is not all that uncommon.

I'd agree with that if it were one lone scanner reporting it (or maybe two and one of them is WhiteArmor). My marging between "notice" and "warning" is 5 hits, which is now reached.

[ViWu]

Update: So I released a new version of the app (v2.1) and recompiled the APK under the new release like you suggested in your second post. I scanned it via VT. Results are here.. Only White Armor reports PUP so it's a good sign since there's no other hits.

Can you scan and test to verify? You can find the latest APK under the latest release.

[IzzySoft]

That's phantastic! And well, as I said before: WhiteArmor we can "safely ignore" (at least if it only reports a "pup"). I've just updated it manually, and see the same on my end. So I removed the "dangerous" version (we've got a newer one anyway), and pushed the update to the server right now.

I'd say mission accomplished (feel free to close this issue), and congratulations! Plus thanks for your effort, and taking things seriously :+1:

Um: Looks like I didn't mention this? :flushed:

[IzzySoft]

@ViWu just wondering, with the last visible activity in 3/2018, do you still maintain this app?