The F-Droid build of AfWall 4.0.2 made 5 engines on VirusTotal go crazy:
The build directly from github was fine on the other hand.
The developer of AfWall suspected a false positive because of gcc static compiled binaries and released a new version with NDK binaries. But he had no explanation for why his build didn’t trigger any engines, while the F-Droid build did. More context here:
There was no issue with 4.0.1 and 4.0.3 from F-Droid, by the way.
Anyone with more expertise than me care to investigate? Is it possible that the build process from F-Droid got compromised?
I mean yeah, 4.0.3 seems to be clean, but unfortunately I installed 4.0.2 from F-Droid before finding out about the virustotal reports, and my phone behaved strangely after that (first no networking, then boot loop after restart), so that’s why I am kinda worried.
The loop stopped after denying root access to afwall, but I’m not really trusting my phone at the moment.
The build process is automated, from the upstream source. Looking at that issue most things were explained.
When testing an APK on virustotal make sure to make a fresh test, a “rescan now” basically, so it does not use past results for one APK and current results for another. Antivirus data changes hence results change with time (better or worse).
What remains unexplained for me: Why did the F-Droid build get flagged, while the build from github did not? Even the developer had no answer for this.
I am writing because I believe it is not unheard of that malware can get smuggled into software in the build process via bad artifacts. But I have no knowledge to investigate this myself in a meaningful way.