Android Question [closed] Obfuscator generates strings that may be detected as virus false positives?

[fredo]

The "positive false" problem ist continued in a new thread: https://www.b4x.com/android/forum/t...g-googles-false-positive-virus-checks.147537/




The following is no longer relevant:

---

---

The goal is to share a file located on Google drive so that a recipient of the link can install the file on their Android device using package installer.

This has worked for years without any problems.

With the last uploaded version, the apk file could no longer be installed on the recipient's device.

The investigation of the cause led to the conclusion that the Obfuscator generates strings that lead to a false positive from Google's virus detection service.
(among others: https://www.b4x.com/android/forum/t...-gdrive-flagged-for-abused.123103/post-769258)

The application is very large, so manually searching for the problematic section would take a disproportionate amount of time.

Is there any way to force the obfuscator to generate other strings (e.g. by changing a seed value)?

 

[Erel]

The salt used during string obfuscation changes every compilation. The output is completely different each time.

 

[fredo]

The salt used during string obfuscation changes every compilation. The output is completely different each time.

Multiple attempts to compile slightly modified modules did not bring any improvement.

Even an apk file without obfuscation received a false positive.

A review of older versions in the Playstore revealed something interesting.

An apk file from October 2022 was downloaded from the Playstore and scanned with Virustotal - everything OK.

All other versions available in the Playstore (apk and aab files) from November 2022 onwards give a false positive.

Now I need to find out what was changed in the period October - November 2002 (within the app or on Google side).

I will now disable some libraries individually to further narrow down the problem.


Library1 = ah_checkinternet
Library2 = ajwebkit
Library3 = aspopupmenu
Library4 = b4xencryption
Library5 = b4xpreferencesdialog
Library6 = bctextengine
Library7 = bctoast
Library8 = byteconverter
Library9 = convertimage
Library10 = core
Library11 = dateutils
Library12 = encryption
Library13 = firebaseanalytics
Library14 = firebasenotifications
Library15 = googleplaybilling
Library16 = ime
Library17 = json
Library18 = network
Library19 = phone
Library20 = randomaccessfile
Library21 = reflection
Library22 = runtimepermissions
Library23 = sql
Library24 = ss_aesencryption
Library25 = tabstripviewpager
Library26 = touchimageview
Library27 = viewsex
Library28 = webviewxtended
Library29 = xcustomlistview
Library30 = xui
Library31 = xui views

 

[MarcoRome]

Hi @fredo
We also put some apk on google drive (even yesterday) for some customers and no false negative results.
Most likely it's some libraries.
those, for example, that we often use color red (so that you can already discard them) are:
Library1 = ah_checkinternet
Library2 = ajwebkit
Library3 = aspopupmenu
Library4 = b4xencryption
Library5 = b4xpreferencesdialog
Library6 = bctextengine
Library7 = bctoast
Library8 = byteconverter
Library9 = convertimage
Library10 = core
Library11 = dateutils
Library12 = encryption
Library13 = firebaseanalytics
Library14 = firebasenotifications
Library15 = googleplaybilling
Library16 = ime
Library17 = json
Library18 = network
Library19 = phone
Library20 = randomaccessfile
Library21 = reflection
Library22 = runtimepermissions
Library23 = sql
Library24 = ss_aesencryption
Library25 = tabstripviewpager
Library26 = touchimageview
Library27 = viewsex
Library28 = webviewxtended
Library29 = xcustomlistview
Library30 = xui
Library31 = xui views

 

[MarcoRome]

Most likely it's some libraries.
Look at this example:

No detect and use this libraries:

Look another example:

and this apk use this libraries:

 

[fredo]

Thanks @MarcoRome.

That is some valuable information.

This saves a lot of time to narrow down the relevant part.

 

[fredo]

Here is a short progress report:

• removetest1: ss_aesencryption and encryption removed --> false positive
• removetest2: ah_checkinternet removed --> false positive
• removetest3: ajwebkit removed --> false positive
• removetest4: viewsex removed --> false positive
• removetest5: convertimage removed --> false positive
• removetest6: webviewxtended removed --> false positive
• removetest7: touchimageview removed --> false positive
• removetest8: xcustomlistview removed --> false positive

 

[fredo]

The "positive false" problem ist continued in a new thread: https://www.b4x.com/android/forum/t...g-googles-false-positive-virus-checks.147537/