antimalwareapp
antimalwareapp copied to clipboard
projectmatris
False positives?
Malware? https://github.com/microg/FakeStore (microG repo) https://github.com/microg/android_packages_apps_GmsCore (more exactly DroidGuard Helper; microG repo) https://github.com/microg/android_packages_apps_GsfProxy (microG repo) https://github.com/openbmap/radiocells-nlp-android (F-Droid) https://gitlab.com/fdroid/privileged-extension (F-Droid)
Unknown? https://github.com/termux/termux-styling (F-Droid)
This flagged com.google.android.gms.setup as malware. I think this is a false positive.
And many default system apps Lineageos are detected by malmware, extraordinary.
The 'Scan System Apps' feature is very buggy. That is why we don't recommend using it. Since many system apps require sensitive permissions and intent-filters similar to those used by malicious apps, it is difficult for the machine learning model to distinguish between malware and goodware just by using these features only. We may try to improve this situation in the future by training the machine learning model with more distinguishing features.
Also found to be malware:
https://github.com/stephane-r/HoloPlay (F-Droid)
https://github.com/beatbrot/ScreenshotAssistant (F-Droid)
I am a Android root user, it's not difficult to give root permission, just add root mode for this application.
I am a Android root user, it's not difficult to give root permission, just add root mode for this application.
@zpcol please open a new issue for this
FYI com.google.android.gms.setup isn't a system app.
Is this the Data Transfer Tool? Did you install it manually?
On September 27, 2020 11:32:30 AM EDT, sanandmv7 [email protected] wrote:
FYI com.google.android.gms.setup isn't a system app.
Is this the Data Transfer Tool?
I think so. I'm honestly not sure why it was on my phone.
Also vanced microg is marked as malware (com.mgoogle.android.gms)
Is it really malware??
Material Files is identified as "Malware"
This is an OSS app, source code is available here: https://github.com/zhanghai/MaterialFiles
VirusTotal report: https://www.virustotal.com/gui/file/ba1c9ed65bb7a48e7733ab0762423214fc7f68a04eb3cacfaad1b4edb4108ee7/details
Shelter is also being identified as malware.
https://github.com/PeterCxy/Shelter
It's also in the F-Droid repos.
Can also confirm Vanced MicroG labeled as malware. Might be because the scanner has trouble with system apps, but MicroG isn't installed as one and it's mistaking it for a system app and flagging it due to that. May be wrong, though.
Please be aware that the machine learning model that we use to detect malware is in its early stages. We are consistently trying to improve the model. So please keep adding the false positives here. We will consider them next time we train the model.
I found another false positive: German for AnySoftKeyboard - https://play.google.com/store/apps/details?id=com.anysoftkeyboard.languagepack.german
Vanilla Metadata Fetch detected as malware. https://f-droid.org/repo/com.kanedias.vanilla.metadata
Prediction score 0.839975 LibreAV 1.1.0
Also detected: Cards and Castles (Play Store) OpenBMap (F-Droid) net.shallowmallow.pico (Play Store) org.pocketworkstation.dict.de (Play Store)
Secure Photo Viewer (F-Droid) https://f-droid.org/de/packages/com.gtp.showapicturetoyourfriend/ Malware, scored 0,883341 for having read/write external storage plus wake lock.
Screenshot Assistant (Play Store, de.beatbrot.screenshotassistant) Malware, scored 0.938887, for "No permissions required"
But in case the analysis is valid, maybe some plausible arguments should encompany the app details page.
LibreAV 1.1.0
@uli-on The machine learning model uses permissions and intent-filters to detect malware. So even if the scanned app does not require any permissions, it may be using some intent-filters that the model considers as indicative of malware.
So even if the scanned app does not require any permissions, it may be using some intent-filters that the model considers as indicative of malware.
Yes, I see, but what I posted is the only information that the app currently supplies. Hence I said the app's details page should be encompanied with plausible arguments.
All In-App Extensions for Tachiyomi https://github.com/inorichi/tachiyomi are all showing up as Malware or Unknown. The extensions have no permissions required and as far as i know they are only used as a source to pull the manga/comic jpg files from their respective website & each of the prediction scores are always 0.975356
https://raw.githubusercontent.com/inorichi/tachiyomi-extensions/repo/apk/tachiyomi-all.mangadex-v1.2.97.apk (mangadex) eu.kanade.tachiyomi.extension.all.mangadex https://raw.githubusercontent.com/inorichi/tachiyomi-extensions/repo/apk/tachiyomi-en.existentialcomics-v1.2.4.apk (existentinal comics) eu.kanade.tachiyomi.extension.en.existentialcomics
here are some others also eu.kanade.tachiyomi.extension.all.nhentai eu.kanade.tachiyomi.extension.all.mangaplus eu.kanade.tachiyomi.extension.en.mangasee eu.kanade.tachiyomi.extension.en.xkcd eu.kanade.tachiyomi.extension.en.vizshonenjump eu.kanade.tachiyomi.extension.all.ehentai eu.kanade.tachiyomi.extension.all.dragonball_multiverse eu.kanade.tachiyomi.extension.all.mangabox eu.kanade.tachiyomi.extension.all.webtoons eu.kanade.tachiyomi.extension.all.toomics
Downloaded the latest update and Tachiyomi extensions i listed in the post above are still showing up as malware can someone look into this?
We are still working on false positives. The model included with the app is the best one we could come up with so far. We will let you know once we develop an improved model.
This dictionary app was flagged as malware even though it requests zero permissions.
Check out "English completion dictionary" - https://play.google.com/store/apps/details?id=org.pocketworkstation.dict.en
@PurpleCodingWizard Thanks for pointing this out. The app you mentioned uses one intent-filter only (org.pocketworkstation.DICT) which is not defined in the features.json file (features.json file contains a list of permissions and intent-filters considered while training the model. We use this file to create the feature vector.). The above-mentioned app does not use any permissions or intent-filters defined in features.json. So the feature vector for this app would contain all 0's. Since the permissions/intent-filters used by the app are unknown to the model, we should label it as 'Unknown'. But we didn't handle this condition in our app. We will fix this issue in the next release.
A quick list that may be false positive:
- Mobile Config (fr.freemobile.android.mobileconf)
- OpenWeatherMap (org.lineageos.openweathermapprovider)
- Titanium Backup Add-on (com.keramidas.TitaniumBackupAddon)
hi! false detecting a lot of system apps (xiaomi rooted) he also finds a mod apps, but are they really all so insecure? https://imgur.com/a/2hLJC40
@esqanor system apps have a lot of permissions, as you are warned there will be false positives there
Firefox Focus was flagged as malware with a .804063 prediction score. The same did not happen with Firefox Browser.
