Virus in Android App?

[Checki]

I get the download the Android app with the GS911 downloader a virus message on my Windows PC.
After transfer to my smartphone I get also a viral message

android.riskware.SMSSend.gQVj
Malware

That's not nice and I'm about my thoughts

What is going on here?

[Inspector Gadget]

Could it be that you are using one of the free AV scanners on your machine?
These free versions use often some kind of heuristics to detect malware and some version are quite susceptible to false alarms.
And not detecting that well on actual viruses neither.

For the paid version you can always contact that vendor and ask them to do a deep analysis if there is indeed malware or not.

[Xchallenge]

Yes, there are currently 6 out of 53 virus scanners that since today flag the Android app as malware when tested on www.virustotal.com. Yesterday all AV-scanners said the file was okay.

On the other hand, the file I download now is unchanged from the one I downloaded after it's release. Realistically that file have been used by many users for a year now and one would expect that any bad behaviour would have surfaced during this time. My guess is that it is a false-positive.

I expect a serious AV-manufacturer to have a reporting facility for false-positives, so please make use of it. Finding and fixing false-positives is really in the best interest of the AV-manufacturer, so they would be stupid not to make use of their complete user base for that.

Let's hope that someone from Hex will respond here...

[Inspector Gadget]

Realistically, a False Positive can happen but it is a wee bit sloppy from the side of the AV vendor, if I may be so honest.
The number of different (!) malware is not as predominantly big on the Android OS-ses as, lets say, the ones for the PC.
There are some variants, but that does not merit a False Positive.
But that is my opinion, of course.

In my view, HexCode is not to blame nor the one to take action upon this.
As there are literally hundreds of AV vendors, or products that contain a form of AV protection, in some kind of shape.
It would soon become more then a day-job to maintain all those AV vendors.
VirusTotal is a quick-and-dirty method, but it is not watertight nor it is not without some criticism either.

The FP could be due to compression-schemes used, some coding-practices or something those AV vendors think alike that malware is behaving, that depends sometimes quite differently between the various AV vendors.

If your AV encounters something that appears to be a False Positive, your AV vendor is responsible for further investigation and resolving it.

Next to the fact, that AV vendors often respond rather more quickly to somebody (end-user) paying for their software (license) and reporting an FP then some software company (HexCode) that happen to generate an FP.
At least, these are my experiences.

I agree, any serious AV vendor does offer, track-and-traced, a reporting facility to submit any possible data to further analyse, both false negatives (= not detected malware) and false positives.
It is indeed also the user-base, next to other customers, AV researchers and so on, who will strengthen the detection-rates and also help avoid FP's.

 

[kobus]

Let's hope that someone from Hex will respond here...

Not much to say really.
It's a false positive. And as mentioned above, it's really the anti-virus vendor's job to make sure they do not report false positives.

[Checki]

I use GData Full Version

I have Contact the Vendor but no answer today.

greets

[Xchallenge]

Not much to say really.

A simple reassurance from the manufacturer, that takes you 10 seconds, can be the thing that give inexperienced users the courage and energy needed to report the false positive to their AV-supplier.

And as mentioned above, it's really the anti-virus vendor's job to make sure they do not report false positives.

I agree. If everyone else was perfect, there would be no false positives. But they do happen and up until someone is encouraged to report it to their AV-supplier, it's you that look bad. Life isn't always fair.

Edit: as I was writing this, one of your customers was apparently encouraged to finally report the issue.

[Inspector Gadget]

I'm not here to defend HexCode of course, but in my view it is all about managing expectations;

Assurances & verification should be provided by the AV-supplier, instead of HexCode. Full stop.
Your first contact should be with your AV-supplier, as they are the experts in AV, and, in this case, causing the False Positive.
When they report back to you that it is indeed malware, you then should contact & inform the supplier of the software, in this case HexCode.

Believe me that AV-suppliers deal with a lot of False Positives on a daily and continuous basis, it is part of the nature of their business.
Especially the consumer- and the "free" ones, as they enforce more aggressive (often also heuristics) detection methods.

Expecting HexCode to respond due diligently to every claim of malware, without first contacting your AV-supplier to have it investigated by their AV-experts, is a wee bit unfair.

You are right, life is not always fair;
To me, your AV-supplier would look bad.
Not HexCode.

But that is my opinion, of course.

[Xchallenge]

Expecting HexCode to respond due diligently to every claim of malware, without first contacting your AV-supplier to have it investigated by their AV-experts, is a wee bit unfair.

To make everything crystal clear, my AV-supplier have never flagged this particular software as malware. I only tried to give my friendly advice to Hexcode, that they could give a simple reassurance to the OP that the software being malware-free. One should never underestimate the importance of an "official" statement.

As a test, I reported the false positive to some other (major) AV-suppliers following Checkis response. I used their respective web pages (without being a customer/user of any product). I guess I spent 10-15 minutes on that.

According to virustotal, only 2 (down from 6) AV-manufacturers still report the app as malware now.

I agree that it is the AV-supplier that should look bad. Unfortunately, that opinion will probably be limited to people that are very informed about this industry. To the 96% average non-professional users/customers, Hexcode most likely look bad when their software is reported as malware.

[Inspector Gadget]

My advice would be, when something is being detected AV-wise with any software from HexCode, to raise it via their HelpDesk-email;
http://www.hexcode.co.za/contact-us-1

[Checki]

GData has fixed the false alarm. The app does not appear to be malware.

[kobus]

That really gives me a warm fuzzy feeling