avast won't let this program run

[Tom Munson]

I use avast! anti-virus, and I think it got updated last night. Today it won't let Alarm Klock run. It says it detected two potentially unwanted programs: Android:NickiSpy-E and Android:GoneSixtySpy-B. Anyone else having these problems? Caused me to oversleep this morning!

[Jan Timm]

Hello, I have exactly the same problem. And I do not kown what to do...

[Craig G]

It sounds like a bug in the anti virus software you're using.  You should file a bug with the maintainer.  You can point them at the source code of Alarm Klock here (https://code.google.com/p/kraigsandroid/) so they can figure out why it triggers a false positive.  It's also worth noting that Google scans all apps in the Play store for viruses and malware.  If an application still exists in the app store, it's a good indication that it is safe to use.

Craig

On Sunday, April 7, 2013 3:09:53 PM UTC-4, Florentin L'Hommedé wrote:

Hello, I have exactly the same problem too. The problem is real or not ?!

[Jan Befring]

Hi!

I got the same report from Avast. Same unwanted programs for the same application. I took the liberty of reporting these to Avast as possible false positives.

Keep safe! Jan

[John Veness]

I have a similar problem, only with a different malware detected and a
different antivirus engine.

If I have the Play Store version of Alarm Klock 1.7 installed, or the
APK from http://code.google.com/p/kraigsandroid/downloads/list
installed, my LBE security program (which uses the "Antiy AVL" antivirus
engine, apparently) says that it is infected with
"Trojan/Android.Lovetrap.b".

If I install the same Alarm Klock 1.7 from F-Droid (https://f-droid.org/
- who rebuild apps from source), LBE doesn't find any malware.

This seems a little worrying to me.

John

[Mark Spacek]

Happened again to me as well. I uninstalled Avast as I like alarm klock but would rather keep Avast as well so tried Alarm Klock 1.7 from F-Droid, reinstalled Avast and all is well. Thanks...

[Mark Spacek]

Confirmed, Alarm Klock 1.7 from F-Droid is clean per Avast! The Google play version of same is reported as infected with Android:LoveTrap-O[Trj]. I don't know if it's a false positive or not but it is concerning that it happens to one and not the other, something is different, so I'm sticking with the f-Droid version for now. Who actually compiles the Google play version?

[Craig G]

I built and uploaded all of the versions in the play store, and they are signed with my developer certificate.  I'm not familiar with how f-droid works, but they couldn't possibly sign the packages the same way.

More than likely, bits of this open source project have made it into one or more pieces of malware.  It's much easier for malicious engineers to copy an open sourced piece of code (which, for instance, does periodic guaranteed alarming) than it is to write it from scratch.  These bits of copied code will have similar signatures regardless of which application they occur in, making it very hard to accurately write a program like Avast which tries to do malware detection by binary substring matching (the parts of a malware app that has copied code from Alarm Klock will have small sections of the application which look identical).  A better model (which is employed by both the Google Play app store and the Apple app store) is to require application developers to sign their applications.  Any alteration to the application (like virus or malware infection) can then be detected by the phone and prevented from running because the signature will no longer match the runnable section of the application.  If a developer gets a bad reputation (by publishing malware or something similar), the developer's credential can be revoked by the store's administrator.  This process is again something that both android and iphone check for automatically.  The fact that any application in the Google Play store or iphone store remains available for an extended amount of time is a very good indicator that the application is not known to be malicious.  This is also a reason why you should only download applications from the app stores supported (ie having trusted credentials build in) by your phone. You are trusting the administrators of the app store to monitor and revoke developer activity.

Craig

[Mark Spacek]

Thanks for the reply. Didn't mean to imply anything negative, just didn't know.

[John Veness]

On 14/05/2013 21:32, Craig G wrote:
> I built and uploaded all of the versions in the play store, and they are
> signed with my developer certificate. I'm not familiar with how f-droid
> works, but they couldn't possibly sign the packages the same way.

F-Droid build from your source, then sign with their own key. It's
interesting that their version doesn't trigger the malware warnings,
given that both their version and the Play Store version are 1.7. You
can download the actual source tar that F-Droid have used from
https://f-droid.org/repository/browse/?fdid=com.angrydoughnuts.android.alarmclock
by the way, if you want to check that they have indeed used the same
source as you did.

I notice, by the way, that the APK for download from your
code.google.com site comes up with the same malware warnings, so it
doesn't sound like something that has changed after it was submitted to
the Play Store.

Cheers,

John

[Mark Spacek]

I switched to Lookout Security and Antivirus for now and am able to run the google play version of alarm klock with no issues. I reported this to Avast as another suspected false positive.

[John Veness]

I've just been trying McAfee Mobile Security on my phone, and that also
finds malware in the Play Store and code.google.com versions of the 1.7
APK, but not with the F-Droid version. Specifically it finds something
called "Android/G.63dd24", whatever that is.

Cheers,

John