yeriomin / YalpStore

Download apks from Google Play Store
GNU General Public License v2.0
2.39k stars 258 forks source link

Virustotal check of downloaded apks #257

Open yeriomin opened 7 years ago

yeriomin commented 7 years ago

After download completes, apk can optionally be checked for malware on virustotal. Since only SHA256 of the apk is required, it should not take too much time.

Wandang commented 7 years ago

This is more of a "feel-good"-security approach. Virustotal won't detect malware right away and I assume that google itself is faster and will take down the app.

So when an app gets an malware-infused update it is probably too late anyway.

Sure there might be the occasional malware that is triggered by heuristic analysis but it would be stretch (in my opinion) to assume google doesn't use state of the art heuristic analysis themselfs.

yeriomin commented 7 years ago

@Wandang

Points to consider:

  1. Virustotal is a part of Google
  2. Malware still frequently appears in Play Store.
  3. It is impossible to distinguish malware from proper software automatically. Antivirus software detects unwanted apps mostly through known signatures, not through heuristics.

So I think a signature check is pretty similar to what Google Play Protect™ is doing or is at least a part of it.

You are right, Virustotal won't detect malware right away, but nothing actually does, so the signature check is not useless.

Wandang commented 7 years ago

@yeriomin

  1. Didn't know that, neat
  2. Yes ofc. I didn't mean to claim otherwise. I just wanted to indicate that if google didn't catch the malware, virustotal probably doesn't have a signature for that as well.
  3. The point I tried to make here was that signatures are being distributed quite fast between vendors. So signature scanning on virustotal will result in a significant rise in positive hits over a day because most vendors update their signature to include the new identified malware. So what (in my opinion) really differentiates the antivir vendors is their heuristic algorithm. Some might be aggressive with a lot of false positives while other are lenient. That's why I said occasionally malware will be found by virustotal instead of google. (I don't know if google has tight or lenient heuristic)

Take this all with a grain of salt since I am not a security expert. Just a regular software developer stating his opinion.

The only advantage I would see in integrating virustotal is the timely removal of the malware-infused app or reinstating a backup if needed. (granted that Yasp never checks if an app was kicked from google store because of malware. Do not know that).

The second advantage would be a better feeling of security for the enduser.

So if you feel strongly for this feature or if your knowledge of the topic recommends this (As stated I don't have any deep knowledge on that topic) then go ahead. It's not like I never use virustotal myself (in the rare occasion that I am sitting in front of a windows machine. Process explorer [advanced task manager] has integrated virustotal for processes which is neat)

Hope this made my position more clear.

Cheers :)

haroon-ali commented 7 years ago

Another point is that virustotal.com has a lot of false positives. I use it a lot and actually many safe apps are reported as infected specially on those infamous anti-virus engines while on the major engines like eset/Kaspersky/panda/drweb for example it's reposted as OK.

So if you want to provide this function you may consider just a warning or better checking against just 10 of the major antiviras engines.

Also with deltas it'll be a problem. Newly updated apps will have to uploaded for the 1st time to virustotal.com.

Anyway I think it's not the job of yalp store to do so.

setuidroot commented 7 years ago

Any progress with this? I ask b/c I started working on a new VT app to upload files easily from android. I may be able to contribute to this because of some code I've already done.

I'll take a look at the UI and maybe look at adding this functionality... if you're already working on it though let me know, I'll help any way I can.

Thanks for this app by the way... got rid of the google monster from my phone altogether now :)

yeriomin commented 7 years ago

@setuidroot I haven't started working on this yet.

I can not be sure, but I think all apks from Play Store get into the virustotal base on upload, and are marked malicious only after a sufficient amount of people report something. So uploading apks to virustotal is not something Yalp Store should do.

Checking downloaded and/or installed apks can be useful. There is no technical difficulty in implementing this since it is just a request to https://www.virustotal.com/#/file/<sha256>/detection, but I'm not sure how it should be done in the ui to bring more good than harm. @haroon-ali makes a valid point. For example https://github.com/yeriomin/YalpStore/releases/download/0.27/com.github.yeriomin.yalpstore_27.apk is considered malicious by one of the engines on virustotal.

screencapture-virustotal-1507165898531

jfwerner commented 6 years ago

I don't see the point. The apps are directly downloaded from the Play Store, so there shouldn't be any more malware than in the normal Play Store, provided the connection is encrypted. Please tell me it's encrypted.

yeriomin commented 6 years ago

so there shouldn't be any more malware than in the normal Play Store,

There is going to be exactly the same amount of malware. There is malware in Play Store, see my second message in this issue.

provided the connection is encrypted

Encryption is irrelevant, amount of malware wouldn't change if the connection was not encrypted.

Please tell me it's encrypted.

Yes, everything goes through https.

TomJansen commented 6 years ago

I think that this feature adds more bloat, you can also download a separate app to scan your phone.

rugk commented 6 years ago

I think this feature is useless. As Virustotal is part of Google (as you noted), I am very sure Google already scans each app and takes them down or so.

Encryption is irrelevant, amount of malware wouldn't change if the connection was not encrypted.

Sorry, but you miss the point. You do not want to have the list of apps you have installed exposed to anyone on the network. That has nothing to do with malware. But as it would use HTTPS, this is not even a point to discuss.

jfwerner commented 6 years ago

doesmysiteneedhttps.com -------- Original Message -------- On 23 January 2018 10:14 PM, rugk notifications@github.com wrote:

I think this feature is useless. As Virustotal is part of Google (as you noted), I am very sure Google already scans each app and takes them down or so.

Encryption is irrelevant, amount of malware wouldn't change if the connection was not encrypted.

Lorry, but you miss the point. You do not want to have the list of apps you have installed exposed to anyone on the network. That has nothing to do with malware. But as it would use HTTPS, this is not even a point to discuss.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

DarkCat09 commented 3 years ago

@yeriomin,

--- English I suggest adding the "Scan APK on VirusTotal" option to the settings. If the parameter is enabled, the application is scanned and in case of three or more detections, the user is shown a dialog with a warning about the harmfulness of the file. (Partially translated by Google.)

--- Russian Я предлагаю добавить в настройки параметр "Сканировать APK на VirusTotal". Если параметр включен, приложение сканируется, и, при трёх или более детектах, пользователю выводится диалог с предупреждением о вредоносности файла.

jfwerner commented 3 years ago

@DarkCat09 why comment on this? Yalp is a dead project and has been replaced by Aurora store from Whyorean

rugk commented 3 years ago

@jfwerner Is it, though? If so, I have opened an issue: https://github.com/yeriomin/YalpStore/issues/638

jfwerner commented 3 years ago

Last change was 2 years ago. Yalps UI is crap, and it's featureless. I don't even know if the implementation still works. Google changed stuff since probably.

-------- Original Message -------- On 22 Dec 2020, 19:40, rugk wrote:

@jfwerner Is it, though? If so, I have opened an issue: #638

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

DarkCat09 commented 3 years ago

@jfwerner, Pardon me 😄 Why isn't the repository marked unmaintained?