Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Virustotal check of downloaded apks #257

Open
yeriomin opened this issue Aug 14, 2017 · 16 comments
Open

Virustotal check of downloaded apks #257

yeriomin opened this issue Aug 14, 2017 · 16 comments

Comments

@yeriomin
Copy link
Owner

After download completes, apk can optionally be checked for malware on virustotal. Since only SHA256 of the apk is required, it should not take too much time.

@Wandang
Copy link

Wandang commented Aug 28, 2017

This is more of a "feel-good"-security approach. Virustotal won't detect malware right away and I assume that google itself is faster and will take down the app.

So when an app gets an malware-infused update it is probably too late anyway.

Sure there might be the occasional malware that is triggered by heuristic analysis but it would be stretch (in my opinion) to assume google doesn't use state of the art heuristic analysis themselfs.

@yeriomin
Copy link
Owner Author

@Wandang

Points to consider:

  1. Virustotal is a part of Google
  2. Malware still frequently appears in Play Store.
  3. It is impossible to distinguish malware from proper software automatically. Antivirus software detects unwanted apps mostly through known signatures, not through heuristics.

So I think a signature check is pretty similar to what Google Play Protect™ is doing or is at least a part of it.

You are right, Virustotal won't detect malware right away, but nothing actually does, so the signature check is not useless.

@Wandang
Copy link

Wandang commented Aug 28, 2017

@yeriomin

  1. Didn't know that, neat
  2. Yes ofc. I didn't mean to claim otherwise. I just wanted to indicate that if google didn't catch the malware, virustotal probably doesn't have a signature for that as well.
  3. The point I tried to make here was that signatures are being distributed quite fast between vendors. So signature scanning on virustotal will result in a significant rise in positive hits over a day because most vendors update their signature to include the new identified malware. So what (in my opinion) really differentiates the antivir vendors is their heuristic algorithm. Some might be aggressive with a lot of false positives while other are lenient. That's why I said occasionally malware will be found by virustotal instead of google. (I don't know if google has tight or lenient heuristic)

Take this all with a grain of salt since I am not a security expert. Just a regular software developer stating his opinion.

The only advantage I would see in integrating virustotal is the timely removal of the malware-infused app or reinstating a backup if needed. (granted that Yasp never checks if an app was kicked from google store because of malware. Do not know that).

The second advantage would be a better feeling of security for the enduser.

So if you feel strongly for this feature or if your knowledge of the topic recommends this (As stated I don't have any deep knowledge on that topic) then go ahead. It's not like I never use virustotal myself (in the rare occasion that I am sitting in front of a windows machine. Process explorer [advanced task manager] has integrated virustotal for processes which is neat)

Hope this made my position more clear.

Cheers :)

@haroon-ali
Copy link

haroon-ali commented Aug 31, 2017

Another point is that virustotal.com has a lot of false positives. I use it a lot and actually many safe apps are reported as infected specially on those infamous anti-virus engines while on the major engines like eset/Kaspersky/panda/drweb for example it's reposted as OK.

So if you want to provide this function you may consider just a warning or better checking against just 10 of the major antiviras engines.

Also with deltas it'll be a problem. Newly updated apps will have to uploaded for the 1st time to virustotal.com.

Anyway I think it's not the job of yalp store to do so.

@setuidroot
Copy link

Any progress with this? I ask b/c I started working on a new VT app to upload files easily from android. I may be able to contribute to this because of some code I've already done.

I'll take a look at the UI and maybe look at adding this functionality... if you're already working on it though let me know, I'll help any way I can.

Thanks for this app by the way... got rid of the google monster from my phone altogether now :)

@yeriomin
Copy link
Owner Author

yeriomin commented Oct 5, 2017

@setuidroot I haven't started working on this yet.

I can not be sure, but I think all apks from Play Store get into the virustotal base on upload, and are marked malicious only after a sufficient amount of people report something. So uploading apks to virustotal is not something Yalp Store should do.

Checking downloaded and/or installed apks can be useful. There is no technical difficulty in implementing this since it is just a request to https://www.virustotal.com/#/file/<sha256>/detection, but I'm not sure how it should be done in the ui to bring more good than harm. @haroon-ali makes a valid point. For example https://github.com/yeriomin/YalpStore/releases/download/0.27/com.github.yeriomin.yalpstore_27.apk is considered malicious by one of the engines on virustotal.

screencapture-virustotal-1507165898531

@jfwerner
Copy link

I don't see the point. The apps are directly downloaded from the Play Store, so there shouldn't be any more malware than in the normal Play Store, provided the connection is encrypted. Please tell me it's encrypted.

@yeriomin
Copy link
Owner Author

so there shouldn't be any more malware than in the normal Play Store,

There is going to be exactly the same amount of malware. There is malware in Play Store, see my second message in this issue.

provided the connection is encrypted

Encryption is irrelevant, amount of malware wouldn't change if the connection was not encrypted.

Please tell me it's encrypted.

Yes, everything goes through https.

@TomJansen
Copy link

I think that this feature adds more bloat, you can also download a separate app to scan your phone.

@rugk
Copy link

rugk commented Jan 23, 2018

I think this feature is useless. As Virustotal is part of Google (as you noted), I am very sure Google already scans each app and takes them down or so.

Encryption is irrelevant, amount of malware wouldn't change if the connection was not encrypted.

Sorry, but you miss the point. You do not want to have the list of apps you have installed exposed to anyone on the network. That has nothing to do with malware.
But as it would use HTTPS, this is not even a point to discuss.

@jfwerner
Copy link

jfwerner commented Jan 24, 2018 via email

@DarkCat09
Copy link

@yeriomin,

--- English
I suggest adding the "Scan APK on VirusTotal" option to the settings. If the parameter is enabled, the application is scanned and in case of three or more detections, the user is shown a dialog with a warning about the harmfulness of the file. (Partially translated by Google.)

--- Russian
Я предлагаю добавить в настройки параметр "Сканировать APK на VirusTotal". Если параметр включен, приложение сканируется, и, при трёх или более детектах, пользователю выводится диалог с предупреждением о вредоносности файла.

@jfwerner
Copy link

@DarkCat09 why comment on this? Yalp is a dead project and has been replaced by Aurora store from Whyorean

@rugk
Copy link

rugk commented Dec 22, 2020

@jfwerner Is it, though? If so, I have opened an issue: #638

@jfwerner
Copy link

jfwerner commented Dec 22, 2020 via email

@DarkCat09
Copy link

@jfwerner,
Pardon me 😄
Why isn't the repository marked unmaintained?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants