AVG reports a trojan for v2.2

[IzzySoft]

A check with VirusTotal reports a trojan named "Android/C2M.I.62A80EEE7B6C" for v2.2. Any idea what could cause it? To me it looks like a "false positive" (especially as only 1 out of 55 engines reports it), but there's no background info on it. Would be nice to get rid of that nasty flag :)

[nekocode]

No idea. I just tried to modify the proguard-rules and recompile a new apk. But it still reports the same result.

[IzzySoft]

As it didn't so with the last release (or does it now?), a diff might turn up something. But as I wrote, with only 1 out of 55 engines reporting it, I do not consider it a major issue. Mainly just wanted to let you know – and if there were an "easy fix", you might have wanted to apply it.

[IzzySoft]

BTW: I just see apksigner reports an issue on that package as well:

ERROR: JAR signer CERT.RSA: JAR signature META-INF/CERT.SF indicates the APK is signed using APK Signature Scheme v2 but no such signature was found. Signature stripped?
WARNING: Archiving "cn.nekocode.camerafilter_2.2.apk" with invalid signature!

Not sure if that's related – but it makes more recent versions of fdroidserver rejecting the package.

[nekocode]

Big thank you for reporting me. I'll take a look this weekend.

[IzzySoft]

Thanks for your response! Meanwhile I can give you a pointer even, as one of the other devs affected was able to solve it for his app: Seems there was a bug in some version of Android Studio (my guess is when they started implementing v2-signing). So a simple rebuild with a recent version solved it at least there. Can you confirm that for CameraFilter – before I suggest that approach to the other affected repos? Of course, this weekend is fine – I'm not asking to "hurry up" 😉

[nekocode]

You're right! I just rebuild it with Android Studio 3.0 and get a new result. I will publish a new release and close the issue tonight. Thank you very much!

[IzzySoft]

Cool – glad to read the solution was really that simple! Did it solve the signing issue as well? You can check that using apksigner verify <file>.apk.

[nekocode]

Yes, it also solve the signing issue.

Verifies
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Number of signers: 1

[IzzySoft]

\o/ Yay! That's very good news. Will see to inform the others then. Thanks a lot again!

And let me know when you've replaced the APK (eg. by closing this issue, so Github sends me a notice). I'll replace it in my repo then.

[nekocode]

See the release 2.3.

[IzzySoft]

Thanks! Online now (just triggered a manual update). Looks phantastico: No AVG warnings, no warnings from apksigner – so when switching to the new fdroidserver, I'll simply let it drop v2.2 as we have a more recent version.

So in the name of our users: Thanks again for your fast help!!! 👍