Lib for OAuth-1 causes False Positive Trojan detection

[mariush444]

Description

Virustotal reports trojan in nightly

Steps to reproduce

https://www.virustotal.com/gui/file/9a655cc988077087d6312982784b52d6250fe74665f9733f93b4cfc88bbe8026/detection

Actual result

As above

Expected result

Do you confirm problem or it is false positive. In case the 2nd, bug should be reportet to virustotal

Your Environment (required)

Independent

[yuriiurshuliak]

Absolutely, it's crucial to ensure you download APK files exclusively from official sources. Also, it's important to remember that third-party websites might not always offer accurate or reliable information.

[vshcherb]

We have no idea what it is and it's probably unrelated to us

[mariush444]

Absolutely, it's crucial to ensure you download APK files exclusively from official sources. Also, it's important to remember that third-party websites might not always offer accurate or reliable information.

What are you talking about? It is yours https://download.osmand.net/latest-night-build/

[mariush444]

We have no idea what it is and it's probably unrelated to us

In my opinion it is completly unprofessional to close such event without investigation. Shame

[vshcherb]

What kind of investigation. There is no proof what happened / when, there is no trust in such services that they are always correct.

However I trust my team and we all do double times code review. You also see full history of commits.

[vshcherb]

We can't search something if there is no proof enough, if service would say that part of code or that class is trojan that would be at least something to work with. If you see strange behavior - ok. If we see something strange on our servers - ok, but I don't see anything, so it's not a rush decision, just quick and that's it. No need to wait to come to this conclusion

[mariush444]

You know that everything can be hacked like previously python: libraries, github, root certificates ... and it is not about your "trust my team". Some files can be overwritten at anyplace or anytime. It just happens sometimes. Because of that https://github.com/osmandapp/OsmAnd/issues/18664 could be helpful.

(just example https://arstechnica.com/information-technology/2022/08/10-malicious-python-packages-exposed-in-latest-repository-attack/)

What should you do? Asked for a apk that I download to verify by yourself. You even don't know what version / which day I downloaded your file. It is possible that it false positive, as I mentioned. In this case you should contact with service and ask what is going on. They can make mistake but clarification of this can improve their service/solution too. But from other hand you can get info about you don't know yet. Other programmers, owners of the code do as I describe. It is obvious and no problem.

Do you noticed huge list "Memory Pattern Urls" that is used by your apk? (http://profile.tut.by - come on)

It seems that you just closed the problem to hide a possible problem from others as quickly as possible.

[vshcherb]

Do you noticed huge list "Memory Pattern Urls" that is used by your apk? (http://profile.tut.by/ - come on)

Where this coming from?

I'm closing issue that we're not going to work with but it might be reopen. Open / Closed issues have the same visibility if I wanted to hide it would be different.

[vshcherb]

From analysis we did that service showed that Free version is "Trojan free" and Paid "Trojan not free", I estimate that it's highly unlikely and My estimation that Service false positive detection much more likely.

So if I get more valuable information, I would continue working on that issue and I don't say that Trojan absolute 0% chance

[RZR-UA]

mariush444

Thank you for your attention to this issue.

The link "profile.tut.by", among with others, came from https://github.com/scribejava/scribejava which we use for OAuth proto.

I've splitted our "trojaned" APK files into parts, scanned the parts with VirusTutal, and have found that only 1 dex-file (compiled classes.dex) was reacted by IKARUS scanner.

In addition, I've installed IKARUS scanner to my Android and it has reacted to nightly APK-files on smartphone, too.

Interestingly that our (OsmAnd made) classes are located in other dex-files (classesX.dex) and not affected, but that 1st dex-file (classes.dex) contains a lot of Android/etc libraries and affected.

If you had some spare time, would you mind checking these files in details?

dex-binary.zip - classes.dex was reacted by VirusTotal dex-decompiled.zip - decompiled classes.dex (by jadx decompiler)

dex-binary.zip

dex-decompiled.zip

[mariush444]

good job. I really appreciate your effort. I let you know if I find something valuable.

[mariush444]

it seems that problem is not directly in a source code but with domains that are used in a code. especially with: c.tenor.com , 142.251.18.94 , 142.251.31.94. They are reported as a source of malwers

Because some modules use planty of domains https://www.virustotal.com/gui/file/41146d1f6641f692e4fdf20f7ab8b7adae7f97162b42f7783b9584d289a572fb/details so my idea is to make simple test ... please, rename all .com , .org , .ru, .cn. , .by , .no accordingly to: .1com , .1org , .1ru , .1cn. , .1by , .1no compile as usually and test in virustotal.

[vshcherb]

We're going to update OAuth-2 library soon, probably it won't have these dependencies.