Qksms: (Android/Spy.Banker.ARQ) Eset Mobile Security detects this app as a malware

Created on 5 Aug 2020  路  9Comments  路  Source: moezbhatti/qksms

Most helpful comment

I believe this is a false positive. The exact same thing happened a couple months ago with AVG (and other apps that used its engine), and then after reporting the false positive it took a few days to correct

I'm writing up an email to ESET now with some details. I'll write back here once I hear from them

All 9 comments

It is a shame that virustotal.com does not display any information about who signed the app. (digital signature of the person who compiled the app):

On the detail page there is more info:

Sombody signed the app with the same data as the official f-droid store

The banking trojan version has a certificate fingerprint "76d1f55f2fb9cbf8b0ccc8ace21a17612366fff4"

Searching for this fingerprint "https://duckduckgo.com/?q=+76d1f55f2fb9cbf8b0ccc8ace21a17612366fff4+&t=hk&ia=web"

Leads to this website: https://www.androidliste.de/item/android-apps/593775/qksms/


The current fdroid version https://f-droid.org/repo/com.moez.QKSMS_2213.apk which is compiled from the github sources has this result
https://www.virustotal.com/gui/url/8ca5a105e887646d2fc40c97e979cae5d8c43f96cd7ecaf4727ea25f8c4419a3/detection

Unfortunately virustotal does not display any vertificate/fingerprint info for this app


May be it is a good idea if f-droid publishes it-s app-specific signing-fingerprint in it-s catalog data and on the website so that we can verfiy if the signer was f-droid.org or sombody who created his own certificate with the same data as f-droid.org (but a different signing-fingerprint.

Kindly mention the source of apk, and the build variant (WithAnalytics/NoAnalytics) when posting such issues, will help the developer to pin point the library which causes these detections and mitigate any possible issues.

@eighthave @Bubu Ping?

ESET finds the trojan in /data/app/com.moez.QKSMS-3f7ysGnUdeER4WGDDpF49w==/base.apk
Version 3.8.1 from F-Droid.
Signature: fd16b74e9554bc695f5cdb042130febc

@k3b

Sombody signed the app with the same data as the official f-droid store

The banking trojan version has a certificate fingerprint "76d1f55f2fb9cbf8b0ccc8ace21a17612366fff4"

No, it is the F-Droid build. With valid signature and downloadable via repo link:

https://f-droid.org/repo/com.moez.QKSMS_2213.apk
SHA256: 93d958576ca7830348847660171d1d651204dae840c5e2966e1db48b8af1b945

gpg --verify com.moez.QKSMS_2213.apk.asc com.moez.QKSMS_2213.apk
gpg: Signature made Sat 01 Feb 2020 11:33:00 AM +05
gpg: using RSA key 7A029E54DD5DCE7A
gpg: Good signature from "F-Droid admin@f-droid.org" [unknown]

I believe this is a false positive. The exact same thing happened a couple months ago with AVG (and other apps that used its engine), and then after reporting the false positive it took a few days to correct

I'm writing up an email to ESET now with some details. I'll write back here once I hear from them

The problem is solved. : )

Excellent!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

jtsurf18 picture jtsurf18  路  3Comments

0xdec picture 0xdec  路  5Comments

gabkomarnicki picture gabkomarnicki  路  4Comments

pankaj89 picture pankaj89  路  3Comments

xavihernandez picture xavihernandez  路  4Comments