False virus found in MIT App Inventor build apk

[Andy Lau]

I have designed and built an apps (apk) with App inventor 2 and then upload to Baidu. 

Baidu (& most of the mobile apps users in china) will use Tencent mobile phone manager and it detected that the apps have virus called "a.gray.andrsca.i".

I have even try to open a new project and let it blank (that means do nothing, no coding at all) then built the apps, it still detected the virus called  "a.gray.inventor.a".

After searching on the interest, I found that whenever App inventor build an apps, it will add a component called "gray.app.inventor.a" that why Tencent mobile phone manager (in fact most of the anti-virus program) detected that and treat is as virus.

I have contact Tencent mobile phone manager (and other anti-virus supplier) and they claim that they can do nothing on that since they must protect their users from inflecting potential virus and advise me to contact App Inventor, that is the source to build the apps and add in the component  "gray.app.inventor.a" .

Would you please kindly advise how can I build the apk without adding the component  "gray.app.inventor.a" or any other ways I could solve this problem.

Many Thanks.

 

[Evan Patton]

Hi Andy,

Please answer the following questions as it will help us assist you:

1. Can you please confirm the exact name string you received from the virus scanner. You mention three different variations in your post. Did you really detect 3 different viruses or are you misremembering the message? Can you share a screenshot of the error message?

2. Which instance of App Inventor are you using to build your apps? If you are uploading them to Baidu, does that mean you are using the instance hosted in Guangzhou? Or are you using the production version at ai2.appinventor.mit.edu?

3. Have you tried testing with other virus scanners to ensure it isn't a false positive?

4. Have you checked to see whether the companion app downloaded from the Google Play Store triggers the same issue?

As for your claim that a component "gray.app.inventor.a" is added to the APK, this is just the identifier given by the virus scanner. No such component exists in our source tree. Different virus scanners will give you different names for the same virus. We will do some additional testing on our end, but the build servers add no additional behavior beyond what you would get with the companion app. For example, after building a blank app on ai2.appinventor.mit.edu, I uploaded it to a site that uses many virus scanners to scan the file. Only one tripped--all the others came back clear. This suggests that the one flagged is probably an anomaly/false positive.  

Evan