Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sample.dex file triggering antivirus engines :/ #97

Closed
darkvertex opened this issue Jan 19, 2021 · 3 comments
Closed

sample.dex file triggering antivirus engines :/ #97

darkvertex opened this issue Jan 19, 2021 · 3 comments

Comments

@darkvertex
Copy link

darkvertex commented Jan 19, 2021
edited
Loading

I just had an awkward situation trying to go get a tool that used this module from my work laptop and the corporate cybersecurity solution (Fortinet Forticlient Antivirus) tripped on the sample.dex telling me it thinks it's some kind of Android trojan:

image

VirusTotal also reports positives from several other AV engines:
https://www.virustotal.com/gui/file/8995adc809fd239ecd2806c6957ee98db6eb06b64dac55089644014d87e6f956/detection

That said, I don't believe you meant harm or are trying to sneak in trojans to the world though. This looks like an unfortunate case of a suspicious file that made it into the unit tests suite; that is all.

I saw it was added by a commit from @mikusjelly but where did they get the file from? In any case, do you think it could be possible to swap it for another .dex that is not flagged as highly suspicious? -- If you upload the new .dex to virustotal.com for a scan and if it comes out totally clean then it's good for the repo.

What do you think?

ps: I emailed Fortinet to report it as a possible false positive and they came back to me with:

The sample contains suspicious codes that are related to the SMS service, purchase interface, payment, bill, China Mobile, China Unicom, and China Telecommunications Corporation.
The class names and function names are all simply obfuscated, and it also involved the "android.provider.Telephony.SMS_RECEIVED" and "android.provider.Telephony.SMS_DELIVER" as part of the suspicious behaviors.
@h2non
Copy link
Owner

h2non commented Jan 19, 2021

Thanks for reporting this. This seems like an unfortunate false positive.
I don't see any solid argument in their response that holds a funded reason to believe there is malicious executable code there, besides it's requesting to use certain OS access permissions.
Anyway, I don't mind deleting the file, it's just a fixture at the end.

@h2non
Copy link
Owner

h2non commented Jan 21, 2021

Alright, the user who committed that file has recently deleted its account. Hard to believe it's a coincidence, so I have deleted the file and will push a new release soon.

@h2non
Copy link
Owner

h2non commented Jan 21, 2021

Both fixtures committed by this user were deleted and a new tag release was pushed: v1.1.1.

@h2non h2non closed this as completed Jan 21, 2021
@kemokemo kemokemo mentioned this issue Jun 22, 2021
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@h2non @darkvertex