projectmatris/antimalwareapp

False positives?

licaon-kter opened this issue ยท 67 comments

They are probably false positives. We should investigate this further.

This flagged com.google.android.gms.setup as malware. I think this is a false positive.

zpcol commented

And many default system apps Lineageos are detected by malmware, extraordinary.

The 'Scan System Apps' feature is very buggy. That is why we don't recommend using it. Since many system apps require sensitive permissions and intent-filters similar to those used by malicious apps, it is difficult for the machine learning model to distinguish between malware and goodware just by using these features only. We may try to improve this situation in the future by training the machine learning model with more distinguishing features.

FYI com.google.android.gms.setup isn't a system app.

zpcol commented

I am a Android root user, it's not difficult to give root permission, just add root mode for this application.

@zpcol what for?

I am a Android root user, it's not difficult to give root permission, just add root mode for this application.

@zpcol please open a new issue for this

FYI com.google.android.gms.setup isn't a system app.

Is this the Data Transfer Tool? Did you install it manually?

Also vanced microg is marked as malware (com.mgoogle.android.gms)

Is it really malware??

Material Files is identified as "Malware"

This is an OSS app, source code is available here: https://github.com/zhanghai/MaterialFiles

VirusTotal report: https://www.virustotal.com/gui/file/ba1c9ed65bb7a48e7733ab0762423214fc7f68a04eb3cacfaad1b4edb4108ee7/details

Shelter is also being identified as malware.

https://github.com/PeterCxy/Shelter

It's also in the F-Droid repos.

Can also confirm Vanced MicroG labeled as malware. Might be because the scanner has trouble with system apps, but MicroG isn't installed as one and it's mistaking it for a system app and flagging it due to that. May be wrong, though.

Please be aware that the machine learning model that we use to detect malware is in its early stages. We are consistently trying to improve the model. So please keep adding the false positives here. We will consider them next time we train the model.

I found another false positive: German for AnySoftKeyboard - https://play.google.com/store/apps/details?id=com.anysoftkeyboard.languagepack.german

Vanilla Metadata Fetch detected as malware. https://f-droid.org/repo/com.kanedias.vanilla.metadata

Prediction score 0.839975
LibreAV 1.1.0

Also detected:
Cards and Castles (Play Store)
OpenBMap (F-Droid)
net.shallowmallow.pico (Play Store)
org.pocketworkstation.dict.de (Play Store)

Secure Photo Viewer (F-Droid) https://f-droid.org/de/packages/com.gtp.showapicturetoyourfriend/
Malware, scored 0,883341 for having read/write external storage plus wake lock.

Screenshot Assistant (Play Store, de.beatbrot.screenshotassistant)
Malware, scored 0.938887, for "No permissions required"

But in case the analysis is valid, maybe some plausible arguments should encompany the app details page.

LibreAV 1.1.0

@uli-on The machine learning model uses permissions and intent-filters to detect malware. So even if the scanned app does not require any permissions, it may be using some intent-filters that the model considers as indicative of malware.

So even if the scanned app does not require any permissions, it may be using some intent-filters that the model considers as indicative of malware.

Yes, I see, but what I posted is the only information that the app currently supplies. Hence I said the app's details page should be encompanied with plausible arguments.

All In-App Extensions for Tachiyomi https://github.com/inorichi/tachiyomi are all showing up as Malware or Unknown. The extensions have no permissions required and as far as i know they are only used as a source to pull the manga/comic jpg files from their respective website & each of the prediction scores are always 0.975356

https://raw.githubusercontent.com/inorichi/tachiyomi-extensions/repo/apk/tachiyomi-all.mangadex-v1.2.97.apk (mangadex) eu.kanade.tachiyomi.extension.all.mangadex
https://raw.githubusercontent.com/inorichi/tachiyomi-extensions/repo/apk/tachiyomi-en.existentialcomics-v1.2.4.apk (existentinal comics) eu.kanade.tachiyomi.extension.en.existentialcomics

here are some others also
eu.kanade.tachiyomi.extension.all.nhentai
eu.kanade.tachiyomi.extension.all.mangaplus
eu.kanade.tachiyomi.extension.en.mangasee
eu.kanade.tachiyomi.extension.en.xkcd
eu.kanade.tachiyomi.extension.en.vizshonenjump
eu.kanade.tachiyomi.extension.all.ehentai
eu.kanade.tachiyomi.extension.all.dragonball_multiverse
eu.kanade.tachiyomi.extension.all.mangabox
eu.kanade.tachiyomi.extension.all.webtoons
eu.kanade.tachiyomi.extension.all.toomics

Downloaded the latest update and Tachiyomi extensions i listed in the post above are still showing up as malware can someone look into this?

We are still working on false positives. The model included with the app is the best one we could come up with so far. We will let you know once we develop an improved model.

This dictionary app was flagged as malware even though it requests zero permissions.

Check out "English completion dictionary" - https://play.google.com/store/apps/details?id=org.pocketworkstation.dict.en

@PurpleCodingWizard Thanks for pointing this out. The app you mentioned uses one intent-filter only (org.pocketworkstation.DICT) which is not defined in the features.json file (features.json file contains a list of permissions and intent-filters considered while training the model. We use this file to create the feature vector.). The above-mentioned app does not use any permissions or intent-filters defined in features.json. So the feature vector for this app would contain all 0's. Since the permissions/intent-filters used by the app are unknown to the model, we should label it as 'Unknown'. But we didn't handle this condition in our app. We will fix this issue in the next release.

A quick list that may be false positive:

  • Mobile Config (fr.freemobile.android.mobileconf)
  • OpenWeatherMap (org.lineageos.openweathermapprovider)
  • Titanium Backup Add-on (com.keramidas.TitaniumBackupAddon)

hi!
false detecting a lot of system apps (xiaomi rooted)
he also finds a mod apps, but are they really all so insecure?
https://imgur.com/a/2hLJC40

@esqanor system apps have a lot of permissions, as you are warned there will be false positives there

Firefox Focus was flagged as malware with a .804063 prediction score. The same did not happen with Firefox Browser.

BubbleUPnP may be a false positive (detected as malware).

Why reporting false positive when the latest update does not include the one in this thread ?

I just point out that I reported 3 legits apps and they still appear as malware in the latest LibreAV release.

@damajor yes, they aren't adding "exceptions", they need "samples" to fine tune detection algoritms.

Aren't the apps publicly available for that purpose ? My guess is yes.

LibreAV detected the following apps from F-Droid as malware today:

  • NoUSSD
  • Shelter
  • Short URL Evaluator
  • Sichere Fotoanzeige
  • SMS Ping
  • DJI Fly (Google Play of course)

IMG_20210208_184505.jpg

Here's another:

https://gitlab.com/gardenappl/try-lbry

Prediction Score: .949149
Malware

(It's on F-Droid)

Termux also identified as risky

Here are some more false positives:

Wrong PIN Shutdown
org.nuntius35.wrongpinshutdown
Prediction Score: .999543 (MALWARE)
Permission List: android.permission.ROOT, android.permission.ACCESS_SUPERUSER, android.permission.READ_PHONE_STATE

FakeGapps
com.thermatk.android.xf.fakegapps
Prediction Score: 0 (UNKNOWN)
Permission List: -

AnySoftKeyboard: Swedish
com.anysoftkeyboard.languagepack.swedish
Prediction Score: 0 (UNKNOWN)
Permission List: -
NOTE: Likely applies to all language packs

Screenshot_20210524-141757_LibreAV
Screenshot_20210524-141748_LibreAV

That's not even all of it. I think I'll have to root and Uninstall bloatware without bricking...

@User66958 as said in the app, better not scan system apps. Please don't start uninstalling system apps based on this apps reports.

@User66958 as said in the app, better not scan system apps. Please don't start uninstalling syst.m apps based on this apps reports.

I'm aware of the consequences for doing so. I just want to remove bloatware in general. There's over 400 apps installed on my phone and most are from Samsung. Surely there's some that aren't needed for the device to function properly.

Would like to report a couple of false positives

Screenshot_20210829-150043

Automate apps by Llamalab are false-positives.

NoUSSD is false-positive. It's from F-droid

Cryptocurrency exchanges
Kucoin , Huobi pro are listed as malware
Is this right? I don't know

@ahmed-tasaly if they are open source you can check?!

@ahmed-tasaly if they are open source you can check?!

They aren't ๐Ÿ˜ฅ

Cryptocurrency exchanges Kucoin , Huobi pro are listed as malware Is this right? I don't know

tbh i'd stay away from chinese crypto exchanges

Cryptocurrency exchanges Kucoin , Huobi pro are listed as malware Is this right? I don't know

tbh i'd stay away from chinese crypto exchanges

@fusionneur So what do you recommend instead ?

Cryptocurrency exchanges Kucoin , Huobi pro are listed as malware Is this right? I don't know

tbh i'd stay away from chinese crypto exchanges

@fusionneur So what do you recommend instead ?

go for kraken, bittrex . anyway this is a bit offtopic..

Screenshot_20220121-235110963
Screenshot_20220121-235052449
Some more false-positives these were from play store aside from happy mod but I definitely know these are not malware

The Ghost Commander Samba Plugin from F-Droid gets marked as malware. The sftp plugin gets marked as dangerous/risky (translated from German: riskant).
Link to the F-Droid package search: https://search.f-droid.org/?q=Ghost+commander&lang=en

IMG_20220307_075655

LibreAV Version: 1.4.0
Android Version: 11.0
Scan System Apps: False

##########

APKs downloaded from Tachiyomi apps or https://tachiyomi.org/extensions/ detected as Malware.

image3

It says, package manager is malware...

amaze file manager is also flagged as malware

A lot of false positives like Binance, aurora services, dirac, package installer, seedvault, F-droid privileged extension, html viewer etc.

Screenshot_20221021-114248252

Screenshot_20221021-114329570

@Theluga Binance is a closed source proprietary app? How would you even know, heh

Dead project! I see no signature updates or commits for years and people still report false positive... Don't waste your time.