App XP Investimentos False Positive

Hello,

I’m XP Inc. Software Architect!

Our clients are informing us about a Malware Advertisement in Android XP Investimentos App (https://play.google.com/store/apps/details?id=br.com.xp.carteira). Our team already analyze all the possibilities with this positive risk, and We concluded that is false positive. We tried to send a request to add this software in Whitelist, but the form seems to be out.

Can anyone please help us in this situation?

I have attached some evidences in order to help in analysis.

Thank you!

Gustavo Santorio

https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Hello Pondus,

I already post this situation to the form too, but receive Internal Server Error from webpage.

Thanks!

upload and scan file at www.virustotal.com

post link to scan result here, then avast lab can fetch file from VT when thay see this topic

Wait for a final verdict from avast team, as they are the only ones to act.
Has that file been signed properly?
Is there an insecure inline script somewhere?

polonus

Thank you for the tip Pondus!

Here is the virustotal analyze link https://www.virustotal.com/gui/file/fdcfbea8552e010be3c8cd2a92cb288f9adfe4f5b16b4fad4a1cb7990548d8a1, but Avast and AVG seems to be out, because the analyze return no information.

Anyone know if this could be a problem in Avast?

Thank you!

Hello Polonus,

My problem is that the Whitelist form seems to be out, and return Internal Server Error. Our app have more than 2 million users, and we have a lot of security validations in our publication process. We don’t have any insecure script in our code, and avast doesn’t return any explanation to our clients. Just send the Malware advertisement.

I’m waiting for the responsible team answer my questions, but until there we can lose a lot of client, and this is the reason that I’m trying to contact anyone in Avast that can help me.

Thank you a lot!

Hi Gustavo, as you’re a developer, read here…

https://support.avast.com/article/229/
https://support.avast.com/article/228/

It isn’t a problem, avast doesn’t do on-demand website/url scans on VT, it only does live website scans via the Web Shield, that is why you don’t see them in the results.

Dev-Info: Hello everyone, there was an issue with FileRep, leading to False Positives. The issue has been resolved (1 PM CET).

He did not scan a URL but a APK file (android) Click VT details tab

avast/AVG is visible in the scan result but given “Timeout”
avast-mobile engine give clean result

Thanks, I thought it was just checking a url.

That said there has been a response by Asyn from Avast-Dev.

So I would ensure that gustavo.santorio checks for update on virus defs or program.

The only warning that the file scan results at VT produce is “Contains one or more Linux executables”.

Also looked at the following scan results:
https://urlscan.io/result/1e2d2522-56e5-41bc-bc19-74bfdf177eab/

Nothing much in the form of indicators:
https://urlscan.io/result/1e2d2522-56e5-41bc-bc19-74bfdf177eab/#indicators

Nothing much here neither: https://urlscan.io/api/v1/result/1e2d2522-56e5-41bc-bc19-74bfdf177eab/

Look at the DOM

5[Violation] ‘setInterval’ handler took ms

and
[Violation] ‘requestAnimationFrame’ handler took 76ms content.script.js

Violation - Update native-base version.

polonus (volunteer 3rd party cold recon website-security-analyst and website error-hunter)