projectmatris / antimalwareapp

Anti-malware for Android using machine learning
https://www.projectmatris.tech/
GNU General Public License v3.0
258 stars 34 forks source link

False positives? #4

Open licaon-kter opened 4 years ago

licaon-kter commented 4 years ago

Malware? https://github.com/microg/FakeStore (microG repo) https://github.com/microg/android_packages_apps_GmsCore (more exactly DroidGuard Helper; microG repo) https://github.com/microg/android_packages_apps_GsfProxy (microG repo) https://github.com/openbmap/radiocells-nlp-android (F-Droid) https://gitlab.com/fdroid/privileged-extension (F-Droid)

Unknown? https://github.com/termux/termux-styling (F-Droid)

sanandmv7 commented 4 years ago

They are probably false positives. We should investigate this further.

tinywombat765 commented 4 years ago

This flagged com.google.android.gms.setup as malware. I think this is a false positive.

zpcol commented 4 years ago

And many default system apps Lineageos are detected by malmware, extraordinary.

projectmatris commented 4 years ago

The 'Scan System Apps' feature is very buggy. That is why we don't recommend using it. Since many system apps require sensitive permissions and intent-filters similar to those used by malicious apps, it is difficult for the machine learning model to distinguish between malware and goodware just by using these features only. We may try to improve this situation in the future by training the machine learning model with more distinguishing features.

tinywombat765 commented 4 years ago

FYI com.google.android.gms.setup isn't a system app.

elemonader commented 4 years ago

Also found to be malware:

https://github.com/stephane-r/HoloPlay (F-Droid)

https://github.com/beatbrot/ScreenshotAssistant (F-Droid)

zpcol commented 4 years ago

I am a Android root user, it's not difficult to give root permission, just add root mode for this application.

licaon-kter commented 4 years ago

@zpcol what for?

sanandmv7 commented 4 years ago

I am a Android root user, it's not difficult to give root permission, just add root mode for this application.

@zpcol please open a new issue for this

sanandmv7 commented 4 years ago

FYI com.google.android.gms.setup isn't a system app.

Is this the Data Transfer Tool? Did you install it manually?

tinywombat765 commented 4 years ago

On September 27, 2020 11:32:30 AM EDT, sanandmv7 notifications@github.com wrote:

FYI com.google.android.gms.setup isn't a system app.

Is this the Data Transfer Tool?

I think so. I'm honestly not sure why it was on my phone.

Uj947nXmRqV2nRaWshKtHzTvckUUpD commented 4 years ago

Also vanced microg is marked as malware (com.mgoogle.android.gms)

Is it really malware??

BasilTomato commented 4 years ago

Material Files is identified as "Malware"

This is an OSS app, source code is available here: https://github.com/zhanghai/MaterialFiles

VirusTotal report: https://www.virustotal.com/gui/file/ba1c9ed65bb7a48e7733ab0762423214fc7f68a04eb3cacfaad1b4edb4108ee7/details

ghost commented 4 years ago

Shelter is also being identified as malware.

https://github.com/PeterCxy/Shelter

It's also in the F-Droid repos.

Can also confirm Vanced MicroG labeled as malware. Might be because the scanner has trouble with system apps, but MicroG isn't installed as one and it's mistaking it for a system app and flagging it due to that. May be wrong, though.

projectmatris commented 4 years ago

Please be aware that the machine learning model that we use to detect malware is in its early stages. We are consistently trying to improve the model. So please keep adding the false positives here. We will consider them next time we train the model.

njmdietrich commented 4 years ago

I found another false positive: German for AnySoftKeyboard - https://play.google.com/store/apps/details?id=com.anysoftkeyboard.languagepack.german

AlanSanchezP commented 4 years ago

Vanilla Metadata Fetch detected as malware. https://f-droid.org/repo/com.kanedias.vanilla.metadata

Prediction score 0.839975 LibreAV 1.1.0

java-py-c-cpp-js commented 4 years ago

Also detected: Cards and Castles (Play Store) OpenBMap (F-Droid) net.shallowmallow.pico (Play Store) org.pocketworkstation.dict.de (Play Store)

uli-on commented 4 years ago

Secure Photo Viewer (F-Droid) https://f-droid.org/de/packages/com.gtp.showapicturetoyourfriend/ Malware, scored 0,883341 for having read/write external storage plus wake lock.

Screenshot Assistant (Play Store, de.beatbrot.screenshotassistant) Malware, scored 0.938887, for "No permissions required"

But in case the analysis is valid, maybe some plausible arguments should encompany the app details page.

LibreAV 1.1.0

projectmatris commented 4 years ago

@uli-on The machine learning model uses permissions and intent-filters to detect malware. So even if the scanned app does not require any permissions, it may be using some intent-filters that the model considers as indicative of malware.

uli-on commented 4 years ago

So even if the scanned app does not require any permissions, it may be using some intent-filters that the model considers as indicative of malware.

Yes, I see, but what I posted is the only information that the app currently supplies. Hence I said the app's details page should be encompanied with plausible arguments.

Vasttadpolhairs commented 4 years ago

All In-App Extensions for Tachiyomi https://github.com/inorichi/tachiyomi are all showing up as Malware or Unknown. The extensions have no permissions required and as far as i know they are only used as a source to pull the manga/comic jpg files from their respective website & each of the prediction scores are always 0.975356

https://raw.githubusercontent.com/inorichi/tachiyomi-extensions/repo/apk/tachiyomi-all.mangadex-v1.2.97.apk (mangadex) eu.kanade.tachiyomi.extension.all.mangadex https://raw.githubusercontent.com/inorichi/tachiyomi-extensions/repo/apk/tachiyomi-en.existentialcomics-v1.2.4.apk (existentinal comics) eu.kanade.tachiyomi.extension.en.existentialcomics

here are some others also eu.kanade.tachiyomi.extension.all.nhentai eu.kanade.tachiyomi.extension.all.mangaplus eu.kanade.tachiyomi.extension.en.mangasee eu.kanade.tachiyomi.extension.en.xkcd eu.kanade.tachiyomi.extension.en.vizshonenjump eu.kanade.tachiyomi.extension.all.ehentai eu.kanade.tachiyomi.extension.all.dragonball_multiverse eu.kanade.tachiyomi.extension.all.mangabox eu.kanade.tachiyomi.extension.all.webtoons eu.kanade.tachiyomi.extension.all.toomics

Vasttadpolhairs commented 3 years ago

Downloaded the latest update and Tachiyomi extensions i listed in the post above are still showing up as malware can someone look into this?

projectmatris commented 3 years ago

We are still working on false positives. The model included with the app is the best one we could come up with so far. We will let you know once we develop an improved model.

PurpleCodingWizard commented 3 years ago

This dictionary app was flagged as malware even though it requests zero permissions.

Check out "English completion dictionary" - https://play.google.com/store/apps/details?id=org.pocketworkstation.dict.en

projectmatris commented 3 years ago

@PurpleCodingWizard Thanks for pointing this out. The app you mentioned uses one intent-filter only (org.pocketworkstation.DICT) which is not defined in the features.json file (features.json file contains a list of permissions and intent-filters considered while training the model. We use this file to create the feature vector.). The above-mentioned app does not use any permissions or intent-filters defined in features.json. So the feature vector for this app would contain all 0's. Since the permissions/intent-filters used by the app are unknown to the model, we should label it as 'Unknown'. But we didn't handle this condition in our app. We will fix this issue in the next release.

damajor commented 3 years ago

A quick list that may be false positive:

esqanor commented 3 years ago

hi! false detecting a lot of system apps (xiaomi rooted) he also finds a mod apps, but are they really all so insecure? https://imgur.com/a/2hLJC40

licaon-kter commented 3 years ago

@esqanor system apps have a lot of permissions, as you are warned there will be false positives there

nunesgh commented 3 years ago

Firefox Focus was flagged as malware with a .804063 prediction score. The same did not happen with Firefox Browser.

AffeN01 commented 3 years ago

BubbleUPnP may be a false positive (detected as malware).

licaon-kter commented 3 years ago

https://github.com/MuntashirAkon/unapkm-android False positive

damajor commented 3 years ago

Why reporting false positive when the latest update does not include the one in this thread ?

licaon-kter commented 3 years ago

@damajor umm?

damajor commented 3 years ago

I just point out that I reported 3 legits apps and they still appear as malware in the latest LibreAV release.

licaon-kter commented 3 years ago

@damajor yes, they aren't adding "exceptions", they need "samples" to fine tune detection algoritms.

damajor commented 3 years ago

Aren't the apps publicly available for that purpose ? My guess is yes.

realpixelcode commented 3 years ago

LibreAV detected the following apps from F-Droid as malware today:

IMG_20210208_184505.jpg

karlzt commented 3 years ago

Here's another:

https://gitlab.com/gardenappl/try-lbry

Prediction Score: .949149 Malware

(It's on F-Droid)

Uj947nXmRqV2nRaWshKtHzTvckUUpD commented 3 years ago

Termux also identified as risky

realpixelcode commented 3 years ago

Here are some more false positives:

lekald commented 3 years ago

Wrong PIN Shutdown org.nuntius35.wrongpinshutdown Prediction Score: .999543 (MALWARE) Permission List: android.permission.ROOT, android.permission.ACCESS_SUPERUSER, android.permission.READ_PHONE_STATE

FakeGapps com.thermatk.android.xf.fakegapps Prediction Score: 0 (UNKNOWN) Permission List: -

AnySoftKeyboard: Swedish com.anysoftkeyboard.languagepack.swedish Prediction Score: 0 (UNKNOWN) Permission List: - NOTE: Likely applies to all language packs

User66958 commented 3 years ago

Screenshot_20210524-141757_LibreAV Screenshot_20210524-141748_LibreAV

That's not even all of it. I think I'll have to root and Uninstall bloatware without bricking...

licaon-kter commented 3 years ago

@User66958 as said in the app, better not scan system apps. Please don't start uninstalling system apps based on this apps reports.

User66958 commented 3 years ago

@User66958 as said in the app, better not scan system apps. Please don't start uninstalling syst.m apps based on this apps reports.

I'm aware of the consequences for doing so. I just want to remove bloatware in general. There's over 400 apps installed on my phone and most are from Samsung. Surely there's some that aren't needed for the device to function properly.

wumbowarrior commented 3 years ago

Would like to report a couple of false positives

Screenshot_20210829-150043

DawnShadow commented 3 years ago

Automate apps by Llamalab are false-positives.

DawnShadow commented 3 years ago

NoUSSD is false-positive. It's from F-droid

ahmed-tasaly commented 3 years ago

Cryptocurrency exchanges Kucoin , Huobi pro are listed as malware Is this right? I don't know

licaon-kter commented 3 years ago

@ahmed-tasaly if they are open source you can check?!