I installed this app a while ago https://f-droid.org/it/packages/com.kaliturin.blacklist/, yesterday I ran the antivirus and it reported a trojan, so I download it and run it on VirusTotal via the computer and… https://www.virustotal.com/gui/file/a1ffd54ac4301370f122928a180a86755e64dba2c6d3a09a44f7ea47c1ce7741
13 antiviruses find malware in the app, I recommend removing it, for everyone’s safe.
This looks like a false positive.
such an old app @Moulinsky why not try a newer one like SpamBlocker (Call & SMS) | F-Droid - Free and Open Source Android App Repository
or NoPhoneSpam | F-Droid - Free and Open Source Android App Repository
also, when making accusations, it’s helpful to point where is the source code the bad behaviour is done: GitHub - kaliturin/BlackList: Blacklist Blocker is a free Android application for blocking unwanted calls and SMS
@SkewedZeppelin it’s not a false positive, 13 antiviruses recognize it, not just two.
@Licaon_Kter I know it’s an outdated app, but if 13 antiviruses recognize malware it’s better to remove it from circulation than to distribute it and cause possible damage… there are other apps for the same use anyway.
Open source is not about putting your head in the sand and denying, but about acting and remedying… otherwise we’re like M$.
If I have to have apps with malware I might as well get them from pirate stores.
The other apps I took from F-droid have no malware… but if things change Google would be wise to deny the possibility of taking apps from F-droid… think about it.
If you doubt 13 antivirus then how many does it take to convince you?
Do we want to repeat the XZ story but in a more stupid way?
Pretty please with sugar on top, point in the actual source, the bad stuff… if it’s so clear, this is an easy task, yes?
Surely you’ve got details from those 13 antiviruses about how and when the bad stuff happens so you just link to the code that does it.
Thanks
@Licaon_Kter Have you ever heard of virustotal? It’s a site where you can test whether an .exe or an .apk is malicious with 69 antiviruses, if you’re not convinced by my statements, try it yourself, but I’ll post a photo for you.
@Moulinsky
I decompiled it and spent 20 minutes skimming the source, saw nothing obvious.
They all even use a generic flag for it.
Likely based off of the permissions.
I even tested that, by removing the manifest and it got 0 detections.
@SkewedZeppelin Glad you checked the old way… unfortunately the antiviruses when they find a result don’t explain why.
At the moment I have in mind to strengthen the ClamAV definitions because with only the open source ones it is not of much use.
When I go to “dirty” sites I use a browser on purpose… and the malwarebytes addon occasionally marks something, I just don’t go there anymore, better to be too safe than not enough.
I repeat that the apps I take from F-droid did not have any malware except this one, and I would also add that I scanned the sources with virustotal and no antivirus reported malware, but a lot of tricks are used to load malware.
here they say that Android Agent.BJS! it’s a very bad malware… that creates ddos and loads other malware… but I had already blocked it from accessing the network with NetGuard.
I think I can declare the problem closed: this old app contacts Google’s IP… and is considered malware for this reason, so is Firefox 
this app does not have INTERNET permission, so…
Exactly why I ironically said “Surely you’ve got details from those 13 antiviruses about how and when the bad stuff happens” because we see this all the time 
false positives name “Generic.Android” or dumber names.
they keep drumming the “other stores malware”, even in the latest EU DMA meeting @hans asked them directly “you say there’s malware, where can we see your data?” and the Google guy made jokes about “Hans from F-Droid? what is this a bot?” but 10 mins earlier the big screen had slides from Google with a phone home screen and F-Droid installed. 
Why is this treated as malware? Ask the devs… “for security” reasons Google rejects 99.99% of apps requesting SMS or Contacts permission, so I bet that is it as @SkewedZeppelin tested above
Another Google product, yes…
VirusTotals static analysis for domains will automatically resolve to an IP even if the app never actually connects
and common XML schema types in files will have such Google urls in them
they are no indication of any activity
Also they run the app in an emulated device, which has Google Services… which connect to…
Anyway, thanks for raising issues as you see them. While we hope all are false positives, it helps to have more eyes looking at the apps/code. 
It was nice chatting with more experienced people, now I want to find some other app with telephone issues and test it, understand if it is reported for some reason… which is not a reason.
If an app contacted various IPs that are perhaps not useful for searching for updates it would be sensible, but it is clear that if it contacts Google’s IPs it is not to perform a DDOS.
However, I block all apps that shouldn’t go online from going online, both for my reasons and theirs. If an app doesn’t clearly provide this for “service purposes” then I close it.
Thanks again.
P.S. I made another discovery: it was for statistical reasons, that is, the developer wanted to know if they played it…
umm? links?
this IP (216,239,34,36)is in California, and is connected to malware… but also to statistical domains, as if the two things were confusing one another.
But if you do statistics then if there was malware the two things would appear connected even if they are not.
Maybe it’s better to stop otherwise we’ll sleep badly
But we need to change the title of the post to “everything is now so confusing that those who create definitions for antiviruses think that statistics are a virus”
