[Antivirus/malware false positive?] Tool triggered google account security response and malware bytes quarantine.

[Tao-NL]

Hi,

This post is copied from my reddit reply to your tool/project reply, also see original post, to properly raise the issue on your tools Github page:

I had your save editor open for a little while this morning after my first download of it yesterday, just running in the background. All of a sudden Google flagged my account activity as suspicious, logging me out and triggering a critical security alert, while I was just working with their systems in my browser, doing some editing of video descriptions on YouTube. The alert contained the following info:

'Google detected suspicious activity in your account that indicates you may have harmful software (malware) on one of your devices. Malware can be used to steal personal information, including passwords.'

Scanning system with Malwarebytes right after flagged your tool as below and quarantined it. No other issues detected during the scan:

https://www.malwarebytes.com/blog/detections/agent-spyware-stealer-dds

Based on the Google security info and the Malwarebytes scan result right after it suggests it could be related to your tool. Unless somehow YouTube studio (or something else entirely) caused this behavior on its own, right at the moment your tool happened to be open, and it's just one big coincidence. I work in IT myself and I tend to be really careful using 'unknown/homebrew' programs/scripts until I feel there are no red flags to speak of. Now first impressions of the tool, its (niche) purpose, your github page and your reddit account seem fine and I'm aware there is a possibility for false positives based on how a program looks to AV/malwarescanners etc. I can also follow your reasoning in your reddit post that the GUI version is made with a python2exe program approach that malware creators also tend to use and this may be the cause for a false positive in this case. But I am still wondering if there's something about this tools 'behavior' that could cause this reaction in Google's security systems.

I didn't even realize Google monitors like this and is able to point a finger at software on my system, the thing that makes me feel uneasy is that it reported suspicious activity in my account and the info suggesting that it's a result of a (this?) tool running on my system, even though that wording from Google is very vague and general, something clearly triggered it. I'm not a programmer myself, beyond some very basic things, so I'd appreciate you shedding some more light on this.

Edit: Rephrased for clarity

[jamesthejellyfish]

Hmm, that is really odd, I didn't even know that google could do that. I'm 90% sure that this is caused by the fact that I'm using py2exe in a onefile configuration, coupled with the fact that I am reading and editing files on a device, which are all common things that malware would do. However, there is a very small nonzero chance that there is something that was injected into the exe file at some point in the pipeline that I was not privy to, either by py2exe (unlikely) or maybe by some other program running on my computer. I'm going to look into this a bit more and probably create a new release that doesn't get flagged, but in the meantime I would recommend building from source, as that is the safer option since you can read through everything that's running.

[Tao-NL]

Thanks for your reply. Can you keep me posted please? I would like to know if you find anything nasty in the file/version I used. I took precautions after Google's notification, but the program ran for a while, so I'd like to be as sure as I can if anything problematic relating to my privacy and personal data may have happened due to this.

[jamesthejellyfish]

Sure thing. From a cursory look at virus total, it doesn't seem to be doing anything that it shouldn't be (it isn't creating/modifying any important files or making any ip address requests). The main thing I'm going to double check later tonight is rerunning everything on a different computer and doing a hash comparison, just to make sure there wasn't anything on my computer that injected into the exe file. I'll lyk when I've done that what the result is.

[Tao-NL]

Thanks looking forward to the results.

With regards to the cursory look, are you talking about the info on the behavior page for the scanned exe? Or looking elsewhere?

https://www.virustotal.com/gui/file/668ec3dd8f4d61d2a26cca5e771173ea3e74208857953d0a1460635e8f352216/behavior

[jamesthejellyfish]

Yes that's where I was looking. The IPs it logs are all official trusted sources (it shouldn't be accessing any IPs, but I assume that the sandbox is making those requests on their own), so there's nothing malicious being sent out, at least from their sandbox testing.

[jamesthejellyfish]

So I did a clean install of pyinstaller and re-compiled everything and got the same flags on virustotal. I think its just something to do with pyinstaller; recompiling with a more recent version removes the issues with virustotal. However, out of an abundance of caution I've removed the exe file from my releases and will find a better solution in the near future. I'll let you know if anyone reports anything else.

[Tao-NL]

Ok, I understand you still feel that this has been a false positive, and nothing malicious should've happened, based on your own testing and findings from virustotal sandbox testing of the file.

Few more questions:

• Did you do the hash comparison too between the two identical compilations (old vs new) after the fresh install of the old pyinstaller version on a different system. Just to verify the compiled version was indeed a true copy?
• How did you determine those ip's were all trusted sources, over whois or something along those lines? Or am I missing an indicator on virustotal that confirms that they're all trusted/ok? I'm looking at the behavior url we talked about yesterday, at the 'IP Traffic' section.
• You mentioned you couldn't see any strange read/write behavior to important files listed on virustotal, same goes for registry actions etc right?
• Do you have any idea at all why google may have detected activity in my account while just taking your tool or py2exe's normal behavior into account? I don't think Google should be able to see what your actual pc is doing, it should just be guarding its own systems and users so seems like something triggered a response on their platform or its boundaries where they determined the probable origin was my pc/malware. Perhaps it seemed like something was trying to influence their cookies they monitor? I can't think of many scenario's myself in this case, I just wonder what it could've been.

[jamesthejellyfish]

Sure thing! Here's my analysis as best I understand it:

• I did do a hash comparison and the version after the fresh install was slightly different (the file size is about 160kb smaller), so the hashes didn't match. However several hashes that virustotal does to determine similarity between files were the exact same (the Vhash, Imphash, and rich PE header hash). I believe that this discrepancy is due to changes in my python environment between last compiling and now. I tried compiling on a number of different machines and the same code resulted in wildly different file sizes on each machine, so it seems that pyinstaller is extremely sensitive to a computer's architecture and python environment. I will be trying to track down the version of all my python tools that I used to try and create an exact match, but I haven't had any luck so far. You can look at the virustotal page comparing my clean install compilation here : https://www.virustotal.com/gui/file/502e05766913d0f6470bf30a6160cde7c78fe951047b1e848eaa3d4411552127/detection
• I was looking at whois lookups and another lookup tool https://www.abuseipdb.com. All of the urls, at least that I checked (i'm pretty sure I checked them all), were either from official sources like microsoft, or were local ip addresses. As far as I can tell, this was just network traffic specific to the VM, which is why the other sandboxes didn't report them.
• Yes. As far as I can tell, again the registry actions, at least the registry write actions, seem to me like they were caused by other processes while the sandboxes were performing their tests, which is why the sandboxes don't have any consensus about the behaviour in that regard.
• I am also curious as to what caused this. I have not been able to find much information online about what google monitors/is allowed to monitor on your computer while it is operating, so I don't know if it is able to detect running processes and warn you about them even if they aren't doing anything actively malicious. I haven't been able to reproduce this and I haven't seen too many people reporting similar behaviour from google anywhere online. It's hard to say for sure what triggered it with so little information about it.

TL;DR: I am still fairly certain that this is a false positive, because I have been unable to track down any behaviour or code that is different from what should be expected, but I also have not been able to conclusively rule out the possibility that something was injected into the binary without my knowledge, however unlikely I find that possibility. I will continue picking apart the binary and hopefully will find something more conclusive, but that's essentially where I'm at atm. I am by no means a cybersecurity expert, so take everything I'm saying with a grain of salt, but I'm trying my best to make sure that I can get to the bottom of this.

[Tao-NL]

Ok thanks for your effort so far, please keep me posted.

[jamesthejellyfish]

Hey, so sorry to have taken so long to get back to you with an update. I de-compiled the file and compared it line by line with a clean install and am confident in saying that it was a false positive. I'm re-adding a new release and will hopefully be going through the steps of whitelisting the software with various antivirus software to hopefully prevent this false positive in the future. Again, sorry for taking so long for an update, it took a long time to be sure and I have been occupied with other things as well.

[Tao-NL]

Hi James, thanks for getting back to me, that's good news. I haven't encountered any further issues/security responses in the meantime, been doing a good few scans this past month which all came back clean. Still very odd that Google systems triggered but I guess we can speculate about that all we want, Google isn't going to provide any details. Maybe the stars aligned, and there was some other factor we didn't think of. I hope that'll be the end of it, I appreciate all your effort. Can you please let me know when the new release is whitelisted?