billthefarmer / editor

Android simple text editor

Home Page:https://billthefarmer.github.io/editor

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

"su" check in v1.89 - false positive?

muzso opened this issue · comments

Hi!

First of all: thanks for all your work on this app! :-)
Your effort is greatly appreciated.

Second: on the VirusTotal page of the v1.89 APK (from https://f-droid.org/repo/org.billthefarmer.editor_189.apk) the VirusTotal Droidy behaviour analysis shows a "su" shell command execution:
https://www.virustotal.com/gui/file/afb614c44ed7c6478be80be55dfd542b909104b01ad7da1ad3e96ca0ade4cc04/behavior

I've read the documentation of Editor and could not find mention of features for rooted phones.
I've searched for "root" in the GH issues and did not find any confirmation that root-related features exist.

Do you have an idea why this "su" execution might show up in their analysis?
I've looked at a few other APKs and not all APKs produce this "su" execution, so it seems it's not coming from the execution environment of the VirusTotal Droidy analysis service.

I've disassembled the APK with apktool and not found any reference to "su".
Used the following command to search (this should find anything in usascii and utf8 files and all text files from the disassembly are in one of these character encodings):

egrep -riaH '^(.*[^a-z])?su([^a-z].*)?$'

Did the same for the word "root" and it didn't give me any relevant hits either.

This "su" stuff might be a false positive though.
E.g. I've created a Hello World APK (based on Google's tutorial at https://developer.android.com/codelabs/basic-android-kotlin-compose-first-app), uploaded it to VirusTotal and the Zenbox behaviour analysis shows all sorts of malicious capabilities and shows a threat level of 48 (on a 100 scale) and a "Malicious" verdict. LoL :D
See: https://www.virustotal.com/gui/file/68f2b3baa4cfc1dfd2c04f0c350e5eba640be1a4976c54ee23bb23f12298d130/behavior
(for the full Zenbox report go to the "Activity Summary" line and on the right side of the screen open the "Full Reports" dropdown and click Zenbox)

So I don't know how trustworthy are these behavior analysis tools.

F-droid build apps from source in an isolated VM and have scripts to check for any devious stuff in the source. One of my apps occasionally gets flagged by someone's AV, but if you check on virustotal it's just one AV out of many. If you suspect an open source app, check the source, you don't have to decompile it.