recent versions of Kivy.app contain a file infected with malware

[gkanarek]

I'm aware of this problem in at least the 1.9.1 and 1.10 versions of Kivy.app for python 3. The file Kivy.app/Contents/MacOS/Kivy (a Unix executable with a creation date of April 25, 2015) is infected with the Backdoor.Eleanor malware.

Here's an analysis of the file: https://www.virustotal.com/en/file/896c863de42f4ec63a53657ecc5cfbcc780ac60149564e1be40e3899851571bb/analysis/1496410669/

[dessant]

@gkanarek, thanks for the report. We have stopped serving https://kivy.org/downloads/ while we look into the issue.

[KeyWeeUsr]

@gkanarek I've uploaded to virustotal the clean .dmg file and I got perfect results. If I were you, I'd probably peak into the past and remember if I installed something called EasyDoc Converter(maybe there's a log somewhere, or maybe it's still installed?)

Or, it might be the platypus thing, but I don't believe it.

[gkanarek]

@KeyWeeUsr What I did was download the dmg, mount it, and show the Kivy.app package contents directly off the disk image, without copying to my hard drive. Then I uploaded the "infected file" to virustotal, which resulted in the link I posted above.

[gkanarek]

@KeyWeeUsr and specifically, I have definitely not installed EasyDoc Converter on this machine. I also checked everywhere else on my machine, and nothing else has the malware.

[KeyWeeUsr]

Okay, now it makes sense to me:

• whole app(detected)

  • MacOS subfolder(detected)

  • Kivy86(clean)

  • Kivy64(clean)

... or not :D Maybe it has some additional data in the archive and those might be executed when unpacking?

[KeyWeeUsr]

Confirmed in py2:

• Kivy file
  • x64
  • x86

[gkanarek]

The fact that it's basically ONLY MacAfee that's flagging these files makes the Platypus thing seem more likely IMO...

EDIT: Especially since the creation date of the file is April 2015, and Eleanor appeared in 2016...?

[KeyWeeUsr]

Seems like that after all. Also, it seems like it's the container with the detected malware, not the content:

• Kivy~x86 file(inside Kivy)
• Kivy~x64 file(inside Kivy)

because when scanned after unpacking and packing into a .zip, no such thing is detected.

[tito]

As i say on IRC, this is weird. The Kivy binary is generated on the fly during packaging.

I did the packaging on a fresh macbook pro (~2 month), with bare minimal environment (nothing related to easydoc). Quanon did the packaging of Python 3 version.

It would be weird that both have the malware that would infect the binary, just before uploading. I just generated a fresh version of Kivy (by adding exit 0 after https://github.com/kivy/kivy-sdk-packager/blob/master/osx/create-osx-bundle.sh#L24).

EDIT: well, the new generated version don't trigger anything? (https://www.virustotal.com/fr/file/b876d0000c000ce8e488142431c5a4c39c59b963c33762619712fd50200012e9/analysis/1496425010/) But i used the Kivy binary, @KeyWeeUsr how did you test x86 and x64 of the same file?

[tito]

If it's the container, it's pure OSX. This may just be a false positive that need to be reported.

[KeyWeeUsr]

@tito the thing you sent didn't have any of the x86 or x64 stuff inside.

[dessant]

sha256sum for Kivy.app/Contents/MacOS/Kivy:

5f52ce79d5e6d004122bdc2a159d2668024e25412fe1512e878c970084a8446b Kivy-1.9.0-osx.dmg (py2) https://drive.google.com/open?id=0By88oIfn3BI4Szkzb1cxMVJ4MUk (0 / 56) https://www.virustotal.com/en/file/5f52ce79d5e6d004122bdc2a159d2668024e25412fe1512e878c970084a8446b/analysis/

896c863de42f4ec63a53657ecc5cfbcc780ac60149564e1be40e3899851571bb Kivy-1.9.0-rev3-osx.dmg (py3) https://drive.google.com/open?id=0B1WO07-OL50_ZmNFTWk0SDgxcEE (3 / 56) https://www.virustotal.com/en/file/896c863de42f4ec63a53657ecc5cfbcc780ac60149564e1be40e3899851571bb/analysis/

daa1900743fc3b4968f80f80d1a1774d3547f76aa55d5237807f1ae8ac89578a Kivy-1.9.1-osx-python2.7z (py2) https://drive.google.com/open?id=0B1WO07-OL50_ejNkZmE4RlJuRGM (0 / 56) https://www.virustotal.com/en/file/daa1900743fc3b4968f80f80d1a1774d3547f76aa55d5237807f1ae8ac89578a/analysis/

896c863de42f4ec63a53657ecc5cfbcc780ac60149564e1be40e3899851571bb Kivy-1.9.1-osx-python3.7z (py3) https://drive.google.com/open?id=0B1WO07-OL50_eGlJaWJYeVdld1U (3 / 56) https://www.virustotal.com/en/file/896c863de42f4ec63a53657ecc5cfbcc780ac60149564e1be40e3899851571bb/analysis/

896c863de42f4ec63a53657ecc5cfbcc780ac60149564e1be40e3899851571bb Kivy-1.10.0-osx-python2.dmg (py2) https://drive.google.com/open?id=0B1WO07-OL50_Zm5udkRUZDNfaTg (3 / 56) https://www.virustotal.com/en/file/896c863de42f4ec63a53657ecc5cfbcc780ac60149564e1be40e3899851571bb/analysis/

896c863de42f4ec63a53657ecc5cfbcc780ac60149564e1be40e3899851571bb Kivy-1.10.0-osx-python3.5.dmg (py3) https://drive.google.com/open?id=0B1WO07-OL50_a3FpU3FQWjctdDg (3 / 56) https://www.virustotal.com/en/file/896c863de42f4ec63a53657ecc5cfbcc780ac60149564e1be40e3899851571bb/analysis/

[tito]

@dessant thanks, it's definitively a false positive. So what action can we take?

[dessant]

@tito, were you able te reproduce this file during a full build?

896c863de42f4ec63a53657ecc5cfbcc780ac60149564e1be40e3899851571bb

[jerrysoft-x]

Hi, just a suggestion, when stop serving download, please post a notice instead of showing 404...I wanted to report the download issue but luckily I see this.

[Zen-CODE]

@tito. We would need to submit a False Positive report through McAfee's Service Portal.

https://kc.mcafee.com/corporate/index?page=content&id=KB85567

[akshayaurora]

Scanning my system with ClamXAV shows a 0 viruses. I am going to try out Macafee next.

On Mon, Jun 5, 2017 at 11:41 AM, Richard Larkin notifications@github.com wrote:

@tito https://github.com/tito. We would need to submit a False Positive report through McAfee's Service Portal.

https://kc.mcafee.com/corporate/index?page=content&id=KB85567

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/kivy/kivy/issues/5211#issuecomment-306111400, or mute the thread https://github.com/notifications/unsubscribe-auth/AAwGN3uWai3a_vxG0II39BrWa12_lLieks5sA5wXgaJpZM4NuT7H .

[tito]

@dessant No, i didn't able to have the same sha256.

My steps:

• I cleaned out the previous build in kivy-sdk-packager
• ./create-osx-bundle.sh
• shasum -a 256 Kivy.app/Contents/MacOS/Kivy -> b876d0000c000ce8e488142431c5a4c39c59b963c33762619712fd50200012e9

Nothing found: https://www.virustotal.com/fr/file/b876d0000c000ce8e488142431c5a4c39c59b963c33762619712fd50200012e9/analysis/1496678235/

• ./create-osx-dmg.sh Kivy.app
• open the dmg
• copy Kivy.app on the Desktop
• sha256 is still the same for ~/Desktop/Kivy.app/Contents/MacOS/Kivy

No clue where the previous file came from, at this point, a hexdiff may help, but i can just ensure that it is generated, not copied from previous generation, if the sdk packager is used. You can see that everytime we bundle, it is generated.

Meanwhile, i'm downloding macaffe for a scan, but i really doubt it would show anything.

Also, please see that: https://www.jamf.com/jamf-nation/discussions/20521/app-packager-is-being-flagged-as-eleanor-malware < it has already been seen by others.

[dessant]

@tito, thanks for the test.

The odd part is the file hash and modification time has stayed the same since @akshayaurora uploaded it with the Kivy-1.9.0-rev3-osx.dmg package on April 25, 2015.

Over the years multiple Platypus versions were used to create these packages, and around 6 months ago the system was also fully reinstalled, but this file did not change in new packages. He was able to reproduce the hash today with Platypus 5.0 (this version was used for Kivy 1.10.0) and 5.2.

April 25, 2015 is the file modification time. I couldn't immediately link it to a specific Platypus release, it only coincides with the date the file appeared on our storage for the first time.

Even if this is a false positive (and that we are only guessing at this time), it's not ideal that we can't account for how certain files distributed to our users came to be.

I think we have to find a reproducible explanation for this, or seek help from Platypus developers, maybe they could help with finding one.

[dessant]

@tito, it would be interesting to know if running create-osx-bundle.sh again produces the same hash you shared, or a new one.

[tito]

My guts still tell me that it would be highly probable that it's a real malware. Even if it's not reproducible because i have a new computer, and quanon reinstalled, then just publish the newest regenerated version?

[dessant]

@jerrysoft-x, we have added a notice and made an announcement on the mailing list, sorry for the delay.

[akshayaurora]

So on a clean new Mac Mini, I download a Platypus.app and pass it through the virus scanning tool. It is still detecting malware inside the Platypus.app although a new one this time.

https://www.virustotal.com/en/file/09d6511a62a6965b0d69c7e92455ead70853c299bf1649ea52ba00e528cb34f4/analysis/1496732777/

I don't understand this, is this confirmed to be a false positive or is platypus really being distributed with these malware?

[akshayaurora]

Platypus 5.2 https://www.virustotal.com/en/file/09d6511a62a6965b0d69c7e92455ead70853c299bf1649ea52ba00e528cb34f4/analysis/1496732777/ Platypus 5.1 https://www.virustotal.com/en/file/14a3595cc4e61f3e4e3051ddd0dde813119b6d2d2f19fa6271c259320b5b9d17/analysis/1496732938/ Platypus 5.0 https://www.virustotal.com/en/file/a14c9f2360feff9f07d5db5eeee238fbc602dccf574c3ebd1ce875fede43bdb1/analysis/1496733092/ Platypus 4.9 https://www.virustotal.com/en/file/f28ed1f0c3f4d4109c55d580dbf69950ad865fa7e91f32bc64d592546f382c6a/analysis/1496733164/ Platypus 4.8 https://www.virustotal.com/en/file/754d9153b92e32faf7e56a4e181de59c6f0b72b3208663042a22e1767d87cb05/analysis/1496733387/

This 4.8 version seems to be the one detected without any malware, should we just test building with this version ?

[akshayaurora]

so a version of the Kivy.app created using 4.8 version of Platypus does pass the test https://www.virustotal.com/en/file/e9ee58d23ade5fa98faa5fb2030ee3a451d9646c0ee187431eca65f13d1ad009/analysis/1496735376/

[akshayaurora]

Just for reference shasum -a 256 Kivy.app/Contents/MacOS/Kivy eb0a89698eff83a62973e57f65a82cd0682b691c136a0e637acec3e799a52c67

[akshayaurora]

Just created a platypus.app using sources(5.2) and here is the result of it's scan

Source scanned as clean but the .app scans as
https://www.virustotal.com/en/file/463d4dbf6df96f5513b0bb4c877e86cad72ef5609ae394dd4582375388e015a1/analysis/1496739815/

Don't know what to make of this...

[gkanarek]

Any word on this? I'd like to be able to make my Kivy app available to my users again... Lol.

[matham]

We're working (basically @akshayaurora ) on getting new versions of the package built that don't show this issue (likely built on travis before we release it). We put downloads back up but removed the files with the issue. I guess we'll update the when the files are ready.

[gkanarek]

OK. Any suggestions for the kivy sdk packager in the meantime?

[akshayaurora]

The latest files are available here Python2 https://drive.google.com/open?id=0B1WO07-OL50_cTJiSEc4Rkh1V3M and here Python 3.5 https://drive.google.com/open?id=0B1WO07-OL50_UXNPTlIxNUNtVU0

@tshirtman already tested them Could some one else please test them too and let us know if they work.

The procedure for creating your own Kivy.app is very simple though.

This methods expects you to have pip, python installed, frameworks of sdl2 example https://www.libsdl.org/release/SDL2-2.0.5.dmg same for sdl2_image, sdl2_mixer, gstreamer installed on your system.

You will need Platypus.app too. Try to get 4.8 version as that is the version that detects as without any virus with VirusTotal. You will need to go into it's preferences section from menu and install common line tools for platypus.

git clone http://kivy-sdk-packager
cd kivy-sdk-packager
./create-osx-bundle.sh

This should create a Kivy.app using the system python in the current directory. to create .dmg ./create-osx-dmg Kivy.app

[gkanarek]

I grabbed that py3.5 version. The "Kivy" file which had been flagged before is clean on VirusTotal. I can't scan the full Kivy.app (even archived) because it's too big, so I can't comment on that.

[devMoxie]

I assume since this hasn't been closed, this is still an issue. Could we get an update? Thanks!

[komashu]

why is this still open and not fixed if it is a false positive? is there an update?

[SpanishPear]

Yea please i need to install it for my HSC SDD course,

[akshayaurora]

@tito @tshirtman @Zen-CODE could one of you test the files The latest files are available here Python2 https://drive.google.com/open?id=0B1WO07-OL50_cTJiSEc4Rkh1V3M and here Python 3.5 https://drive.google.com/open?id=0B1WO07-OL50_UXNPTlIxNUNtVU0

I would like to put them up for download by people since it does not have the issue anymore.

[tomfitzphilly]

I downloaded these both, and they scan clean through AVG. However both seem to modify python 2.7

[tjGhani]

Is 1.9.0 clean and safe to use until the next clean version is released?

[Zen-CODE]

AVG tested clean on the first tests, so I doubt it's a good test. Malware bytes for OSX claims to detect it.

https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/

As McAfee reported the initial positive, a test with that would be first prize. I'll try testing that over the next few days with both.

@tomfitzphilly. How do they seem to modify python? What did you do to detect that?

@tjGhani. I would using the links for 1.10.0 akshayaurora posted above and scanning them with a tool that detects the threat (OSX/Backdoor.Eleanor). 1.10.0 contains many improvements, and helping us test that would be a great way to help out. Please post your findings if you do. Otherwise, I'll post my finding as soon as I can....

Thanks

[Zen-CODE]

Or better, simply upload those dmg files to the site that generated the initial set of analyses? My connection keep breaking before the upload completes....

https://www.virustotal.com/en/#

[akshayaurora]

https://drive.google.com/open?id=0B1WO07-OL50_cTJiSEc4Rkh1V3M result https://www.virustotal.com/en/file/32b23fe2da063fdae792babc3b9e8642eebf867e33c0f3b3f7e4e8e57497adf9/analysis/1519157415/ https://drive.google.com/open?id=0B1WO07-OL50_UXNPTlIxNUNtVU0 result https://www.virustotal.com/en/file/615b585db52e12768cc484e3df32c0f79f3bc40afc16b0e66cea282296905931/analysis/1519157711/

[akshayaurora]

@Zen-CODE since these packages pass I think we should put them up on the website, what say you ?

[Zen-CODE]

Agreed. And I think you can close the ticket accordingly. I will double check tomorrow using Malware bytes just to be safe, but seeing as virustotal was the reason for ticket, the fact that it now passes is seems sufficient to justify closing it.

Thanks

[Zen-CODE]

Malware bytes detects no virus either. Let's close this ticket, and it can be re-opened if anyone provides a positive.