Virustotal finds a virus in some applications - Boogr.gsh fase positives

I came across this website by chance:
https://www.apkscan.org/?searchby=source&q=5

I took a look and noticed some apps from fdroid repo are marked to have viruses, in some cases even 20 virustotal engines find a trojan virus.

The application that I use from time to time and that is APK Extractor, and I was really surprised that it is marked with 7 virustotal engine as a virus trojan.

–
Here we come to the question
Are all applications on the f-droid safe to use?
Does the app pass any security and safety tests before appearing on the F-droid?
While some think any open source application is secure, it can normally be malicious.

Are all applications on the f-droid safe to use?

Dunno… but if it’s on F-Droid it has been build from source code, so you can easily check whatever the snake-oilvirus scanner says.

in some cases even 20 virustotal engines find a trojan virus.

Link?

Does the app pass any security and safety tests before appearing on the F-droid?

Yes, Virustotal, so what does that site show you as infected if the apps are marked as clean by Virustotal when we scan? Eg. Look at some of those with 1 (one) malware…scroll down…see “Virustotal says clean”…that table is dumb.

While some think any open source application is secure, it can normally be malicious.

Of course, just that it’s a bit harder to do this when the source is in the open.

Note some inconsistencies: For apk extractor, the website lists version 2, added 2017-10-11, but f-droid has version 1.4 added 4/4/18.

I scanned with ClassyShark3xodus: No issues. Also with @SkewedZeppelin 's Hypatia virus scanner (with all available signatures): No issues.

APK Extractor 1.4/5

does have detections on VirusTotal

However I saw nothing suspicious when decompiled.

Now search the internet for “Boogr.gsh” and see users installing Android Studio and Kaspersky deleting harmless gradle files…

deleting harmless gradle files

yep, scan any apk with clamscan --detect-pua and it’ll “find” ‘Ewind’ and ‘Mobidash’

Fact check:

• the link in the topic links to a list of “fdroid” apps where some contain viruses

  • one virus item in the list “Kwik DataPac (eur.rus)” version 1.2 (3) which contais 4 viruses.

• Detail information of “Kwik DataPac (eur.rus)” : https://www.apkscan.org/app/4797C1FFC4515BAB0E84456735B80FD3EA7AB1F9 Version 1.2 Version Code: 3 that link to

  • Signed by:
  • Fingerprint: 8A:E9:6B:11:E3:C3:08:BE:9E:9C:46:0D:6B:54:E1:C8:EC:5E:A1:A5
  • Subject: C=UK, ST=ORG, L=ORG, O=fdroid.org, OU=FDroid, CN=FDroid
  • ssuer: C=UK, ST=ORG, L=ORG, O=fdroid.org, OU=FDroid, CN=FDroid
  • Link to virus-total analysis: VirusTotal also confirms 4 Viruses.

• I have uploaded https://f-droid.org/repo/player.efis.data.eur.rus_3.apk to virustoal

  • VirusTotal
    • with no issues found on virustotal

• I tried to upload the 78 Megabytes of f-droid.org/repo/player.efis.data.eur.rus_3.apk to www.apkscan.org

  • but got a proxy error.
  • after reloading the page i got "Your application has been uploaded and will be available here within the next hour " with this link https://www.apkscan.org/apk/DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
    • when i click on the link i get "No APK found in database with SHA1 hash “DA39A3EE5E6B4B0D3255BFEF95601890AFD80709”. "

What confuses me:

every “fdroid” app on www.apkscan.org/ has a different cert-fingerprint.

As far as i know f-droid use the same certificate for signing all apks so all “fdroid” apks should have the same cert-fingerprint.

Example

• go to https://www.apkscan.org/
• press “Search”
• select “By cert. fingerprint”
• paste “9CFA1B7CBF02B360C009C6B6A814E53060C80659” into the search field
• press the “search” button
• ==> result 4 different virus-free version of "com.simplemobiletools.gallery "
• ==> I would have expected to find " 2954 " fdroid apps whith the same certificate.

virustotal is a well known adress.

I have never heared before of “apkscan.org” before? who operates and finances it?

Open Question:

Is my assumtion that all fdroid signed apks should have the same cert-fingerprint?

-f-droid.org should have a web page that publishes the public cert-fingerprint so that we can verify the certificate-

F-Droid keys are documented here:

VirusTotal has funky UX. When you scan URLs it doesn’t run filetype specific scans. When you use their upload form you’ll find it’ll run APK specific scanners which then will yield some virus warnings.

Also F-Droid generates indiviudal signing certificates for each and every app. So it’s perfectly fine that all those APKs have differnt key fingerprints.

My experience with VT is: It’s a good indicator – but you cannot rely solely on its results. Snake Oil “Virus-Scanners” are known to produce false positives. Some of them produce even more than others. There are several engines I simply ignore when they’re the only ones “finding” something (and it’s no exception that some weeks later I find VT has kicked out that engine altogether). Use with care and cross-check with other resources.

What I strongly dislike is: each finding at best gives you a “cryptic name” without any details (or I just didn’t figure yet how to get to those details). When I tried to use that “cryptic name” with a web search, I wasn’t wiser afterwards.

I start getting very suspicious when 5 or more engines agree, not before.

Also depends heavily on the application. APK Extractor ? Sounds like some hacking tool and is thus probably detected like any other development tool also. (For example cheat engine)

Anecdote:
It can be something pretty simple like write an application that uses the low-level global hotkey detection in windows, and it’ll be detected as keylogger. Virus detection can’t see what I’m using that API for, it’s just seeing that it’s used. Had to use that to circumvent some programs that try to catch all keyboard inputs and disable global hotkeys. (yes, games do that…) so if I wanted to still use a hotkey, I’ve had to take this route

VirusTotal is a bad choice if you’re privacy-conscious, since it’s owned by Google. I use OPSWAT Metadefender. https://metadefender.opswat.com/

ClamAV is also famously more paranoid than a chicken in a thunderstorm. Once I scanned a brand new Windows 7 install with it and it nuked half the exe files on the PC.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

I get a threat detection warning.

HEUR:Trojan.AndroidOS.Boogr.gsh

Not the only “false positive” for that “virus”

Snake oil… See my intro for (and the links at the end of) Anti-Virus, Anti-Malware, Anti-Theft. We do run APKs through VirusTotal and see such false positives from time to time. VT runs stuff through 60+ engines, which makes it easier to spot them: if just 1 or 2 report something, it’s very likely a false positive.

AV apps on your Android device are mostly a greater risk by themselves. Many security researchers would classify them malware or at least PUA. Have you counted the trackers contained in your Kaspersky – or in McAffee, or Avira? Better keep those off your device. If you insist, there’s one clean AV app, and you can get it at (surprise!) F-Droid: Hypatia.

Curious…

kaspersky on my Smartphone, find “trojan.androidOS.Boogr.gsh” (only now)

for Character Recognition

False positive ?

Yup, we get that a lot

My kerpasky flagged a virus from the music app built and signed be Fdroid. I double checked it with virus total and it detected 5 instances.
Is this a legit virus?

Screenshot_20240123-070438_Chrome1080×2176 150 KB