False positives?

[licaon-kter]

Malware? https://github.com/microg/FakeStore (microG repo) https://github.com/microg/android_packages_apps_GmsCore (more exactly DroidGuard Helper; microG repo) https://github.com/microg/android_packages_apps_GsfProxy (microG repo) https://github.com/openbmap/radiocells-nlp-android (F-Droid) https://gitlab.com/fdroid/privileged-extension (F-Droid)

Unknown? https://github.com/termux/termux-styling (F-Droid)

[sanandmv7]

They are probably false positives. We should investigate this further.

[tinywombat765]

This flagged com.google.android.gms.setup as malware. I think this is a false positive.

[zpcol]

And many default system apps Lineageos are detected by malmware, extraordinary.

[projectmatris]

The 'Scan System Apps' feature is very buggy. That is why we don't recommend using it. Since many system apps require sensitive permissions and intent-filters similar to those used by malicious apps, it is difficult for the machine learning model to distinguish between malware and goodware just by using these features only. We may try to improve this situation in the future by training the machine learning model with more distinguishing features.

[tinywombat765]

FYI com.google.android.gms.setup isn't a system app.

[elemonader]

Also found to be malware:

https://github.com/stephane-r/HoloPlay (F-Droid)

https://github.com/beatbrot/ScreenshotAssistant (F-Droid)

[zpcol]

I am a Android root user, it's not difficult to give root permission, just add root mode for this application.

[licaon-kter]

@zpcol what for?

[sanandmv7]

I am a Android root user, it's not difficult to give root permission, just add root mode for this application.

@zpcol please open a new issue for this

[sanandmv7]

FYI com.google.android.gms.setup isn't a system app.

Is this the Data Transfer Tool? Did you install it manually?

[tinywombat765]

On September 27, 2020 11:32:30 AM EDT, sanandmv7 notifications@github.com wrote:

FYI com.google.android.gms.setup isn't a system app.

Is this the Data Transfer Tool?

I think so. I'm honestly not sure why it was on my phone.

[Uj947nXmRqV2nRaWshKtHzTvckUUpD]

Also vanced microg is marked as malware (com.mgoogle.android.gms)

Is it really malware??

[BasilTomato]

Material Files is identified as "Malware"

This is an OSS app, source code is available here: https://github.com/zhanghai/MaterialFiles

VirusTotal report: https://www.virustotal.com/gui/file/ba1c9ed65bb7a48e7733ab0762423214fc7f68a04eb3cacfaad1b4edb4108ee7/details

[ghost]

Shelter is also being identified as malware.

https://github.com/PeterCxy/Shelter

It's also in the F-Droid repos.

Can also confirm Vanced MicroG labeled as malware. Might be because the scanner has trouble with system apps, but MicroG isn't installed as one and it's mistaking it for a system app and flagging it due to that. May be wrong, though.

[projectmatris]

Please be aware that the machine learning model that we use to detect malware is in its early stages. We are consistently trying to improve the model. So please keep adding the false positives here. We will consider them next time we train the model.

[njmdietrich]

I found another false positive: German for AnySoftKeyboard - https://play.google.com/store/apps/details?id=com.anysoftkeyboard.languagepack.german

[AlanSanchezP]

Vanilla Metadata Fetch detected as malware. https://f-droid.org/repo/com.kanedias.vanilla.metadata

Prediction score 0.839975 LibreAV 1.1.0

[java-py-c-cpp-js]

Also detected: Cards and Castles (Play Store) OpenBMap (F-Droid) net.shallowmallow.pico (Play Store) org.pocketworkstation.dict.de (Play Store)

[uli-on]

Secure Photo Viewer (F-Droid) https://f-droid.org/de/packages/com.gtp.showapicturetoyourfriend/ Malware, scored 0,883341 for having read/write external storage plus wake lock.

Screenshot Assistant (Play Store, de.beatbrot.screenshotassistant) Malware, scored 0.938887, for "No permissions required"

But in case the analysis is valid, maybe some plausible arguments should encompany the app details page.

LibreAV 1.1.0

[projectmatris]

@uli-on The machine learning model uses permissions and intent-filters to detect malware. So even if the scanned app does not require any permissions, it may be using some intent-filters that the model considers as indicative of malware.

[uli-on]

So even if the scanned app does not require any permissions, it may be using some intent-filters that the model considers as indicative of malware.

Yes, I see, but what I posted is the only information that the app currently supplies. Hence I said the app's details page should be encompanied with plausible arguments.

[Vasttadpolhairs]

All In-App Extensions for Tachiyomi https://github.com/inorichi/tachiyomi are all showing up as Malware or Unknown. The extensions have no permissions required and as far as i know they are only used as a source to pull the manga/comic jpg files from their respective website & each of the prediction scores are always 0.975356

https://raw.githubusercontent.com/inorichi/tachiyomi-extensions/repo/apk/tachiyomi-all.mangadex-v1.2.97.apk (mangadex) eu.kanade.tachiyomi.extension.all.mangadex https://raw.githubusercontent.com/inorichi/tachiyomi-extensions/repo/apk/tachiyomi-en.existentialcomics-v1.2.4.apk (existentinal comics) eu.kanade.tachiyomi.extension.en.existentialcomics

here are some others also eu.kanade.tachiyomi.extension.all.nhentai eu.kanade.tachiyomi.extension.all.mangaplus eu.kanade.tachiyomi.extension.en.mangasee eu.kanade.tachiyomi.extension.en.xkcd eu.kanade.tachiyomi.extension.en.vizshonenjump eu.kanade.tachiyomi.extension.all.ehentai eu.kanade.tachiyomi.extension.all.dragonball_multiverse eu.kanade.tachiyomi.extension.all.mangabox eu.kanade.tachiyomi.extension.all.webtoons eu.kanade.tachiyomi.extension.all.toomics

[Vasttadpolhairs]

Downloaded the latest update and Tachiyomi extensions i listed in the post above are still showing up as malware can someone look into this?

[projectmatris]

We are still working on false positives. The model included with the app is the best one we could come up with so far. We will let you know once we develop an improved model.

[PurpleCodingWizard]

This dictionary app was flagged as malware even though it requests zero permissions.

Check out "English completion dictionary" - https://play.google.com/store/apps/details?id=org.pocketworkstation.dict.en

[projectmatris]

@PurpleCodingWizard Thanks for pointing this out. The app you mentioned uses one intent-filter only (org.pocketworkstation.DICT) which is not defined in the features.json file (features.json file contains a list of permissions and intent-filters considered while training the model. We use this file to create the feature vector.). The above-mentioned app does not use any permissions or intent-filters defined in features.json. So the feature vector for this app would contain all 0's. Since the permissions/intent-filters used by the app are unknown to the model, we should label it as 'Unknown'. But we didn't handle this condition in our app. We will fix this issue in the next release.

[damajor]

A quick list that may be false positive:

• Mobile Config (fr.freemobile.android.mobileconf)
• OpenWeatherMap (org.lineageos.openweathermapprovider)
• Titanium Backup Add-on (com.keramidas.TitaniumBackupAddon)

[esqanor]

hi! false detecting a lot of system apps (xiaomi rooted) he also finds a mod apps, but are they really all so insecure? https://imgur.com/a/2hLJC40

[licaon-kter]

@esqanor system apps have a lot of permissions, as you are warned there will be false positives there

[nunesgh]

Firefox Focus was flagged as malware with a .804063 prediction score. The same did not happen with Firefox Browser.

[AffeN01]

BubbleUPnP may be a false positive (detected as malware).

[licaon-kter]

https://github.com/MuntashirAkon/unapkm-android False positive

[damajor]

Why reporting false positive when the latest update does not include the one in this thread ?

[licaon-kter]

@damajor umm?

[damajor]

I just point out that I reported 3 legits apps and they still appear as malware in the latest LibreAV release.

[licaon-kter]

@damajor yes, they aren't adding "exceptions", they need "samples" to fine tune detection algoritms.

[damajor]

Aren't the apps publicly available for that purpose ? My guess is yes.

[realpixelcode]

LibreAV detected the following apps from F-Droid as malware today:

• NoUSSD
• Shelter
• Short URL Evaluator
• Sichere Fotoanzeige
• SMS Ping
• DJI Fly (Google Play of course)

[karlzt]

Here's another:

https://gitlab.com/gardenappl/try-lbry

Prediction Score: .949149 Malware

(It's on F-Droid)

[Uj947nXmRqV2nRaWshKtHzTvckUUpD]

Termux also identified as risky

[realpixelcode]

Here are some more false positives:

• FindMyDevice | "malware" | score: .782806
• ESET USSD Control (Eset is an anti-virus app itself) | "malware" | score: .975356
• NoUSSD | "malware" | score: .975356

[lekald]

Wrong PIN Shutdown org.nuntius35.wrongpinshutdown Prediction Score: .999543 (MALWARE) Permission List: android.permission.ROOT, android.permission.ACCESS_SUPERUSER, android.permission.READ_PHONE_STATE

FakeGapps com.thermatk.android.xf.fakegapps Prediction Score: 0 (UNKNOWN) Permission List: -

AnySoftKeyboard: Swedish com.anysoftkeyboard.languagepack.swedish Prediction Score: 0 (UNKNOWN) Permission List: - NOTE: Likely applies to all language packs

[User66958]

That's not even all of it. I think I'll have to root and Uninstall bloatware without bricking...

[licaon-kter]

@User66958 as said in the app, better not scan system apps. Please don't start uninstalling system apps based on this apps reports.

[User66958]

@User66958 as said in the app, better not scan system apps. Please don't start uninstalling syst.m apps based on this apps reports.

I'm aware of the consequences for doing so. I just want to remove bloatware in general. There's over 400 apps installed on my phone and most are from Samsung. Surely there's some that aren't needed for the device to function properly.

[wumbowarrior]

Would like to report a couple of false positives

[DawnShadow]

Automate apps by Llamalab are false-positives.

[DawnShadow]

NoUSSD is false-positive. It's from F-droid

[ahmed-tasaly]

Cryptocurrency exchanges Kucoin , Huobi pro are listed as malware Is this right? I don't know

[licaon-kter]

@ahmed-tasaly if they are open source you can check?!