https://photos.app.goo.gl/yjnLWLjp8DhkiJmL8
Probably it is false alarm.
It is a shame that virustotal.com does not display any information about who signed the app. (digital signature of the person who compiled the app):
On the detail page there is more info:
Sombody signed the app with the same data as the official f-droid store
The banking trojan version has a certificate fingerprint "76d1f55f2fb9cbf8b0ccc8ace21a17612366fff4"
Searching for this fingerprint "https://duckduckgo.com/?q=+76d1f55f2fb9cbf8b0ccc8ace21a17612366fff4+&t=hk&ia=web"
Leads to this website: https://www.androidliste.de/item/android-apps/593775/qksms/
The current fdroid version https://f-droid.org/repo/com.moez.QKSMS_2213.apk which is compiled from the github sources has this result
https://www.virustotal.com/gui/url/8ca5a105e887646d2fc40c97e979cae5d8c43f96cd7ecaf4727ea25f8c4419a3/detection
Unfortunately virustotal does not display any vertificate/fingerprint info for this app
May be it is a good idea if f-droid publishes it-s app-specific signing-fingerprint in it-s catalog data and on the website so that we can verfiy if the signer was f-droid.org or sombody who created his own certificate with the same data as f-droid.org (but a different signing-fingerprint.
Kindly mention the source of apk, and the build variant (WithAnalytics/NoAnalytics) when posting such issues, will help the developer to pin point the library which causes these detections and mitigate any possible issues.
@eighthave @Bubu Ping?
ESET finds the trojan in /data/app/com.moez.QKSMS-3f7ysGnUdeER4WGDDpF49w==/base.apk
Version 3.8.1 from F-Droid.
Signature: fd16b74e9554bc695f5cdb042130febc
@k3b
Sombody signed the app with the same data as the official f-droid store
The banking trojan version has a certificate fingerprint "76d1f55f2fb9cbf8b0ccc8ace21a17612366fff4"
No, it is the F-Droid build. With valid signature and downloadable via repo link:
https://f-droid.org/repo/com.moez.QKSMS_2213.apk
SHA256: 93d958576ca7830348847660171d1d651204dae840c5e2966e1db48b8af1b945
gpg --verify com.moez.QKSMS_2213.apk.asc com.moez.QKSMS_2213.apk
gpg: Signature made Sat 01 Feb 2020 11:33:00 AM +05
gpg: using RSA key 7A029E54DD5DCE7A
gpg: Good signature from "F-Droid admin@f-droid.org" [unknown]
I believe this is a false positive. The exact same thing happened a couple months ago with AVG (and other apps that used its engine), and then after reporting the false positive it took a few days to correct
I'm writing up an email to ESET now with some details. I'll write back here once I hear from them
The problem is solved. : )
Excellent!
Most helpful comment
I believe this is a false positive. The exact same thing happened a couple months ago with AVG (and other apps that used its engine), and then after reporting the false positive it took a few days to correct
I'm writing up an email to ESET now with some details. I'll write back here once I hear from them