The APKs attached to releases have 2 APKs embedded. Can you please tell what they are for? It's not normal an APK carries others inside. What's more is that meanwhile 3 scanners at VT marked it Trojan, which raises some concerns.

One is the core engine module, which provides the virtual environment required for app running. The other is the app startup routing module, through which we sometimes display some advertisements. We have pointed out the advertisement in redeme.

Thanks for the explanation!

We have pointed out the advertisement in redeme.

I couldn't find that, sorry.

Apart from it's being quite unusual to nest APKs inside an APK, one of the two has another problem: it's non-free, as it uses GoogleAds and libraries from GMS (so it could indeed be seen as "trojan": the outer shell looks clean, but it ships proprietary parts inside which then are "side-loaded"). Can't the functionality of those two be reached by other means then empbedding APKs? This always makes it look suspicious – especially when such reports as linked above show up. I got alerted by users of my repo for that, more than once now.

Please see 'Safety Notes and others' in readme(https://github.com/WaxMoon/MultiApp)! @IzzySoft

This repository is primarily for developer use. So I generally don't upload it to the open source store like as FDroid because of the ads! Of course, the ad isn't really that long.

Please see 'Safety Notes and others' in readme(WaxMoon/MultiApp)!

Thanks @WaxMoon – but that just speaks about the debug flag, it doesn't cover the issue in question here. It's rather the embedding of APKs (as a maintainer of multiple repositories I've seen & scanned thousands of apps but cannot remember having seen this before) – and the concern of meanwhile 4 engines at VT (including Kaspersky, Symantec and ZoneAlarm) marking the app "Trojan". I don't have access to the APK you upload to Play Store, so I cannot say if the same applies there.

This repository is primarily for developer use. So I generally don't upload it to the open source store like as FDroid because of the ads!

If it's just "Ads", that can be marked as AntiFeature (at F-Droid as well as in my repo). It's rather that the libs used for ads (Google Ads, GMS) are non-free/proprietary which would stop your app to be accepted there.

Your app is currently listed in my repo, as you know, which has a little more relaxed inclusion rules. But with 4 malware scanners shrieking their alarms, and no explanation why I should ignore that, I need to do something about it. Easiest would of course be to disable/remove the app, but I first wanted to check if the issue cannot rather find another solution to the best of all sides (yours, the users' and my repo's). If you want to leave it as-is and prefer me removing your app, I of course accept that.

Sorry, but with those indicators and no details I'll have to disable/remove the app from my repo now, @WaxMoon – no offense meant, but my users would otherwise understand I'd (potentially) leave them at risk. I'll wait one more day in the hope to hear back from you, but then I'll have to act; I hope you understand that. Fingers crossed you can raise hopes 🤞