Numerous A/V vendors saying app contains malicious trojan code

[ItsJustMeAgain]

I downloaded Nanoleaf.for.Desktop.v0.8.6.WINDOWS.exe last night and this morning I woke to find my antivirus software (AMP) had detected malicious code and quarantined the app.

I uploaded the latest .exe and .jar files to virustotal and a fair number of vendors are currently detecting similar things.

https://www.virustotal.com/gui/file/38727be9e10c7505b9f3414a1b1b298c139531713b04114181d29f21c1e5c151/detection https://www.virustotal.com/gui/file/3e8b9b85836a30d63c306b76328f96b0c890fb247343ed6d4e30d1f30d43a14b/detection

[rowak]

Thank you for reporting this. Nanoleaf for Desktop does not contain any malicious code. The app does depend of a number of libraries, but each is very reputable and I highly doubt they contain malicious code.

If any of these libraries were the culprit I would first suspect jnativehook, because it may appear to be doing something suspicious (from an antivirus perspective) with lower-level system calls. This library is used to implement the keyboard shortcuts in Nanoleaf for Desktop by the way.

I'll look into this issue further when I get the chance.

[rowak]

Okay, so I sequentially scanned each release on virustotal starting from v0.1.0 to try and find which release started the problem. Virustotal reports that every release up to v0.5.0 is clean. This means that something added in v0.5.0 is triggering these antivirus engines that wasn't present in v0.4.3. The key change in v0.5.0 is the addition of the spotify visualizer feature which depends on both the spotify web api for calls to spotify and nanohttp for the oauth callback server.

Comparing the commits between v0.4.3 and v0.5.0 (here) you will notice that two libraries were added: spotify-web-api-java and nanohttpd. Strictly comparing my own code between those two versions I really can't seem to find any code that might be considered malicious in any way. I also wanted to point out that virustotal reports zero detections when scanning v0.8.3. I consider this to be further evidence the other versions are being flagged as false positives.

On top of this, considering that only a small fraction of antivirus engines are flagging the file, I am mostly convinced that this is a false positive. If you have any additional insight please let me know.