Manually downloading that .apk and sending it to virustotal seems to reveal nothing suspicious (nor do metadefender, exodus, immuniweb), so it might be false positive.
But android security is not my forte; could someone else more experienced give it a check that it doesn’t include some infected dependency or whatever?
Thanks for confirmation.
My bad - I’ve meant to say “OS-level security” there, not to imply that it was part of AOSP. I’d disable it if I found a way how (like I disabled Google’s “protection”) - but it’s not listed under security settings, or anywhere else I looked. I can only disable auto-update of its database.
I would if I knew how. Anyone? (note that I do not have - nor intend to create - Huawei account. That phone runs only f-droid or other FOSS software; except unremovable bloatware that comes with the phone, of course, to my great annoyance).
Not that I’m particularly inclined to help Huawei (only reason I went for that phone was ability to unlock bootloader and install more free OS, but they stopped giving unlock codes for that just before my phone arrived), but I would invest effort for other f-droid users sake.
Update: only Huawei contact listed on the phone is Privacy Questions - HUAWEI Global which seems to require Huawei ID and is mostly about privacy complaints - I’ve tried it anyway, with “N/A” as an ID. It does also link to local Hawei telephone hotline. I’ve tried calling that, but (as expected) it seems to have been mostly an exercise in futility (the biggest advance in my attempt to make them understand that “the problem was a false positive which should be fixed by Huawei” was that the answer changed from “Click on uninstall to remove the malware” to “we don’t support 3rd party apps/stores and recommend you use Huawei Gallery store only” and a tentative promise that they’ll “forward the issue and let me know if there is some resolution”).
Update2: I’ve been contacted back by local Huawei rep I’ve talked with, with information that this Huawei malware detector is in fact Avast antivirus. I am somewhat skeptical about that information, as virustotal (which includes avast and avast mobile checks) does not detect malware on that file.
I have received the reply from Huawei reps. It is interested as it seems they have put some work into it – which I must say I’m pleasantly surprised about! They’ve gone through the effort to find newer (and official) build of the app for accomplishing the same task (which I happened to knew about, but had other issues with it, but nonetheless!)
However, result is that they still think that this f-droid build specifically is problematic (while they find apkpure build of the same app version is OK, which I find interesting).
They also recommend the issue to be brought to f-droid maintainer attention, so here it is.
Right? Did I answer correctly? Did I use the same vague terms?
I’m almost afraid to answer that question, but yeah, that “I won’t say what the problem is but trust me” is somewhat vague. I’d appreciate if you’d state what the problem is (in PM if not for public) to help me understand. (note that I by no means defend Huawei or claim that their app is perfect; far from it!)
OK, I’ll try to get more details.
Funnily, that is the same thing Huawei reps suggested to me so you at least agree with them on that
I’m not sure about that, as I don’t think Google Play version exist anymore? Anyway, I can reproduce their likely reasoning - Huawei/avast Optimizer detects f-droid version as problematic, but does not complain about APKPure version (which is supposedly based on same sources).
Which I find interesting as I don’t think they use simple file hash to blacklist problematic APKs, but more like they scan for some byte pattern - and that pattern does not appear in APKPure while it does appear in F-droid version, which I find curious since they’re both supposedly based on same source code. Sure, there are compiling/packaging differences which might create such false-positive signature by pure chance, but still fairly unlikely.
Another (purely academic, so please be gentle to me: I’m just going through theoretical possibilities, not implying that f-droid work is anything less than superb! All that effort is greatly appreciated!) possibility is that maybe some library version used by that app that f-droid pulled in some 6 years ago was itself hacked and not noticed (or even without actual corresponding source, like we had issue with e.g. ARcore lately)?
Why do we have 3 apps for this? @mnalis do those old ones even work anymore?
Now if I just could find out the app id in f-droid app this would be more readable which apps I am talking about exactly… Anyway, I see 3 standalone apps related to uploading to commons.wikimedia.org available on f-droid:
CommonsLab (old version 1.0, ~6 years old). That didn’t work for me. It installs, but after providing login, it crashes (on Android 10 at least. Perhaps it fares better on older android versions?)
CommonsLab (new version and new app id, version 1.2, also ~6 years old) - the one this thread is about: It works on my Android 10, is simple, and can upload not only pictures, but audio and video multimedia files too. (tested on audio, not yet on video). But seems to be abandoned…
Commons (version 4.1.0, updated a week ago) - active and more fully fledged app for uploading to commons (supports custom captions/categories/copyright), but only supports pictures, and is also quite buggy currently (see link above)
Update: I’ve contacted both Huawei reps asking for what byte sequence they use for detection, as well as reported false positive directly to Avast Mobile (which I installed and can reproduce the issue in too).
We’ll see if anything comes out of it…
This is a serious topic.
Never install an executable that you did not create yourself, or whose code is incomprehensible or incomplete. In no case listen to advice or encouragement on forums. Check for yourself. If in doubt, do not install.
Sure. Were it not, I wouldn’t have invested enough time for this thread and related reports.
While it is popular security mantra for general population, it is completely unusable in practice, as issue is waaaaay more complex than that. As the saying goes: “only truly safe computer is one that has been disconnected from network, turned off, crushed in hydraulic press, encased in concrete and sunk to the bottom of the ocean.”
In the end (in practice) it boils down to ephemeral concept of trust, i.e. How much do I trust F-droid not to sign & ship malicious software (intentionally or accidentally) to me? And the answer (for me) is “pretty much”!
To detail why the issue is so complex, let’s say you did use only open source software on your phone (do you?), and you did scan every line of that source and all libraries it uses that they do not contain malicious pieces of code (did you really, personally?). There are still a zillion other security problems remaining:
you might’ve missed the malicious code. Quick skimming will find just the worst offenders, but even hard dedicated multi-month detailed source audit by security experts is not fool-proof. For skeptics, sure in their ability to spot malicious code instantly, I’d highly recommend checking out finalists for Underhanded C Contest, where the point of contest is to make exploitable code for specific problem that looks completely innocuous so it is very hard to find even if when you know that simple one-page code contains malicious bug, with a bonus points given for plausible deniability (e.g. typical programmer mistake like off-by-one or similar).
especially on android, compiling code pulls other code from net. While f-droid tries very hard to make sure only open-source things are included, if company hides the fact that the thing is not really open source, potentially closed-source still can (extremely rarely, but still) sneak through. For example, ARcore by Google managed to do that relatively recently, so it is not impossible.
code that you can see e.g. on github.com might not be the same code that you (or someone else) checks out (i.e. you might get one copy of code, but f-droid different copy). You’d have to trust not only Microsoft (GitHub owners), but also git authors and all the rest of security stack (which is quite hard as GitHub does not publish its source code), security of currently used crypto that it is not susceptible to MITM attacks by other actors etc. Companies might even be forced by government to do such activity, or it might be result of some third party hack, even in company is benevolent (which in itself is not an attribute I’d slap on Microsoft!)
even if the code that reaches the compiler is the same code written by trusted author and without any intentional malware or exploitable bugs (which is huge leap of faith in itself!), you’d still have to trust that the whole build toolchain is not compromised. Even if you check source code for all your compilers and rest of toolchain (good luck with that, if you’d wish to accomplish anything else in your life), you can still be fooled - see Ken Thompson /bin/login hack as a popular teaching example.
even if all the code and toolchain were to be correct, not tampered with, and bug-free (which they are not, not by a far stretch), there is still an issue of OS itself being full of exploitable bugs and downright intentional malware. You might try to significantly reduce that risk by replacing stock ROM with Replicant, if your phone is supported and you’re OK with losing (significant) hardware functionality (like WiFi, GPS, mobile data etc) due to missing open source alternatives.
even with all those pure-software issues addressed (if you somehow still believe that fable of “secure computer” is possible), even below all that sit spy chips, updatable things like microcode, hardware made in such way that other remote-controlled chips can modify the CPU, special hardware intentionally build to override CPU outside of user control like AMT etc. While those hardware issues can be significantly reduced if you go for (currently still below-par technology-features-vise) open hardware like OpenMoko, it still does not solve problem completely.
and that is just the most popular things that I (as not-particularly-well invested security expert, but still somewhat above the average user) know of (and can pull from the top of my head). I’m sure there are many more known by people invested in the subject, and more so known to blackhats and state actors like NSA etc.
IOW, Security is hard. Really hard. You just won’t believe how vastly hugely mindboggingly hard it is. I mean you may think it’s hard to build a spaceship and visit other stars, but that’s just peanuts to security. Listen… (with apologies to Douglas Adams)
Theoretically, one might avoid most of those problems by building computer hardware themselvers from sourced discrete parts that are too simple to be able to be rigged. So, transistors, maybe even logic gates. But definitely not anything as complex as memory chip or ($DEITY forbid!) microprocessor. Then proceed to use toggle switches to create your own assembler for it (because that keyboard might be compromised too), and from there you’re ready to write your complete software stack, from OS upwards. Provided you can do that without any bugs or methods exploitable for side-channel and other attacks (both in software or hardware), you should be mostly safe.
In practice however, only way to make sure your computer is safe, is not to use any. Or, if that is not an attractive option, use security management techniques (most importantly proper risk assessment) so that (even after you somewhat reduce the risk) whenever and whatever bad thing happens (which it eventually will, even for most die-hard security experts), you are OK with its scope and prepared remedies.
“Security” - said Marvin - “don’t talk to me about security”
(sorry for the longish diatribe, but that myth had to be dispelled)
We have now cleared its reputation in our database based on the findings and removed the detection. This change may take up to 24 hours to take full effect. Please accept our apology for the inconvenience caused.
If the detection persists after 24 hours, update the virus database in Avast anti-virus and reply to this email with the attached files:
1.Take a screenshot of the Avast detection dialog (Threat Secured pop-up with See details - displayed at the bottom).
2.Take a screenshot of the Avast virus database (open Avast antivirus and go to Menu > About).
We hope you have a nice day and stay safe online.