Signal APK still marked as Trojan + Other APKs with VirusTotal

DeletedUser89

Hello, I recently switched to installing all my apps through Obtainium by getting the APKs directly from Github or the like, mostly to move away from F-Droid and Aurora Store security issues I feared. Browsing the forum, I noticed a post about two months back about Signal showing up as a Trojan (TROJ_GEN.R002V01KD23) with TrendMicro-HouseCall. I checked it again, and have noticed the same detection popping up with the latest version (6.41.3). The scan is linked below.

https://www.virustotal.com/gui/file/83b1513e154f59de098bf7f44b918278d3629d124aec6ff49ee637043c8dcc65

I'm just wondering if this is simply a false positive and nothing to worry about? Especially as I've seen that many users here make use of Signal and it is a decently reputable app amongst the privacy community. My reason for this post is I haven't seen it discussed much anywhere else.

Furthermore, I decided to scan the APKs of a few other of my apps; a music playing app and flashcard app I've been using for a while as well.
For Auxio, the music-playing app, the version is 3.2.1 and also was marked just by TrendMicro, but with a slightly different Trojan version (TROJ_GEN.R002V01KC23). Link is https://www.virustotal.com/gui/file/1f93ae1be67b8c74ce8ecff762decaf93ed8e4f7d58d2a9a49fa2a2a218ca2b1/detection.

For the flashcard app (ForgetMeNot), version (1.9.0), it was marked by MaxSecure as having some form of malware? (Android.W32.Bray.n). Link is https://www.virustotal.com/gui/file/5412f708562367d50e620a4900125c04d9d4d26311124b2015b205832d50c38a.

Both of the apps were downloaded from their original sources on github.

Now, this is no security report, and I am a complete beginner in this stuff, despite using GOS for a few years now, so my questions are, are these simply false positives, especially since only one security company marks them? The two additional apps mentioned before require minimal permissions and I have never had issues with them, however a detection on VirusTotal is usually something I pay lots of attention to. All in all, I would really appreciate it if perhaps somebody could give some insight on this and put my mind at rest? I'm also interested in knowing how some of the people here usually approach installing APKs, is it a normal custom to scan it with a tool such as VirusTotal?

raccoondad

DeletedUser89 False positive, the file you linked matches the hash found on signals official webpage so I can't imagine its anything but a false positive

[deleted]

DeletedUser89 enumerating badness with a potential spyware? You can get Signal directly from their website.

https://signal.org/android/apk/

If I can't trust Signal's web, I wouldn't trust their servers, just on the margin.

DeletedUser89

Yes, I apologize for some confusion the first sentence may have caused. I downloaded the APK from the official, original, Signal website. The exact one you linked [deleted]

raccoondad

[deleted] The APK you linked is the same he has downloaded, check the SHA256 hash for yourself.

DeletedUser89

This whole issue though is a bit confusing, how is it that only one security company marks the APK as malicious, and all the other ones mark it as clean? Possibly indicating a false-positive? I also know some people in this community have mentioned using Auxio, it would be interesting to see if that is too a false-positive.

raccoondad

DeletedUser89 There are tons of false-positives I found on google/github searching for that Trojan specifically, so it seems its just a thing that happens

DeletedUser89

raccoondad Gotcha, it does seem like a common occurrence from what I've seen. Any ideas about the flashcard app mentioned? I've also searched about MaxSecure and whatever "Android.W32.Bray.n" is, and a few have said it pops up as a false-positive, but I don't like to take chances honestly.

[deleted]

Note to myself: VirusTotal is owned by Google. I needn't bother any further :)

DeletedUser89

Perhaps it is just all a case of false-positives then? I have been reviewing the aforementioned flashcard app and the only permissions it asks for are android.permission.FOREGROUND_SERVICE, android.permission.VIBRATE, and android.permission.WAKE_LOCK, which are completely harmless, so how would it even do anything malicious? Especially with how GOS sandboxes apps.