Virustotal finds a virus in some applications

I came across this website by chance:
https://www.apkscan.org/?searchby=source&q=5

I took a look and noticed some apps from fdroid repo are marked to have viruses, in some cases even 20 virustotal engines find a trojan virus.

The application that I use from time to time and that is APK Extractor, and I was really surprised that it is marked with 7 virustotal engine as a virus trojan.


Here we come to the question
Are all applications on the f-droid safe to use?
Does the app pass any security and safety tests before appearing on the F-droid?
While some think any open source application is secure, it can normally be malicious.

1 Like

Are all applications on the f-droid safe to use?

Dunno… but if it’s on F-Droid it has been build from source code, so you can easily check whatever the snake-oilvirus scanner says.

in some cases even 20 virustotal engines find a trojan virus.

Link?

Does the app pass any security and safety tests before appearing on the F-droid?

Yes, Virustotal, so what does that site show you as infected if the apps are marked as clean by Virustotal when we scan? Eg. Look at some of those with 1 (one) malware…scroll down…see “Virustotal says clean”…that table is dumb.

While some think any open source application is secure, it can normally be malicious.

Of course, just that it’s a bit harder to do this when the source is in the open.

Note some inconsistencies: For apk extractor, the website lists version 2, added 2017-10-11, but f-droid has version 1.4 added 4/4/18.

I scanned with ClassyShark3xodus: No issues. Also with @SkewedZeppelin 's Hypatia virus scanner (with all available signatures): No issues.

APK Extractor 1.4/5
https://www.virustotal.com/gui/file/75250aeebf69d35ffd0ffa3631e37317c3d7b13befa1cdac728201b956018c50/detection
does have detections on VirusTotal

However I saw nothing suspicious when decompiled.

Now search the internet for “Boogr.gsh” and see users installing Android Studio and Kaspersky deleting harmless gradle files…

deleting harmless gradle files

yep, scan any apk with clamscan --detect-pua and it’ll “find” ‘Ewind’ and ‘Mobidash’

Fact check:

What confuses me:

every “fdroid” app on www.apkscan.org/ has a different cert-fingerprint.

As far as i know f-droid use the same certificate for signing all apks so all “fdroid” apks should have the same cert-fingerprint.

Example

  • go to https://www.apkscan.org/
  • press “Search”
  • select “By cert. fingerprint”
  • paste “9CFA1B7CBF02B360C009C6B6A814E53060C80659” into the search field
  • press the “search” button
  • ==> result 4 different virus-free version of "com.simplemobiletools.gallery "
  • ==> I would have expected to find " 2954 " fdroid apps whith the same certificate.

virustotal is a well known adress.

I have never heared before of “apkscan.org” before? who operates and finances it?

Open Question:

Is my assumtion that all fdroid signed apks should have the same cert-fingerprint?

-f-droid.org should have a web page that publishes the public cert-fingerprint so that we can verify the certificate-

F-Droid keys are documented here:

https://f-droid.org/docs/Release_Channels_and_Signing_Keys/

VirusTotal has funky UX. When you scan URLs it doesn’t run filetype specific scans. When you use their upload form you’ll find it’ll run APK specific scanners which then will yield some virus warnings.

Also F-Droid generates indiviudal signing certificates for each and every app. So it’s perfectly fine that all those APKs have differnt key fingerprints.

My experience with VT is: It’s a good indicator – but you cannot rely solely on its results. Snake Oil “Virus-Scanners” are known to produce false positives. Some of them produce even more than others. There are several engines I simply ignore when they’re the only ones “finding” something (and it’s no exception that some weeks later I find VT has kicked out that engine altogether). Use with care and cross-check with other resources.

What I strongly dislike is: each finding at best gives you a “cryptic name” without any details (or I just didn’t figure yet how to get to those details). When I tried to use that “cryptic name” with a web search, I wasn’t wiser afterwards.

I start getting very suspicious when 5 or more engines agree, not before.

2 Likes

Also depends heavily on the application. APK Extractor ? Sounds like some hacking tool and is thus probably detected like any other development tool also. (For example cheat engine)

Anecdote:
It can be something pretty simple like write an application that uses the low-level global hotkey detection in windows, and it’ll be detected as keylogger. Virus detection can’t see what I’m using that API for, it’s just seeing that it’s used. Had to use that to circumvent some programs that try to catch all keyboard inputs and disable global hotkeys. (yes, games do that…) so if I wanted to still use a hotkey, I’ve had to take this route