missed detection of opencandy in this android app

RealCalc calculator 1.85
Scan result in virscan.org: http://r.virscan.org/report/f8cbe340b2e64ad673ea6fa3bd4ad706 —>Adware/Uapush!Android

According to the behavior scan, there is trace of the PUP “opencandy”
see: http://a.virscan.org/6c2353c62fe7ffabab4f9044d2dcd4c8

Behavior description: Window message detail: Pid = 1332, Hwnd=0xc017a, Text = Welcome to the [b]Cheat Engine 6.4[/b] Setup Wizard , ClassName = TNewStaticText. Pid = 1332, Hwnd=0xd01f6, Text = [b]This will install Cheat Engine 6.4 on your computer.[/b] It is recommended that you close all other applications before continuing, ClassName = TNewStaticText. Pid = 1332, Hwnd=0xb0170, Text = [b]A. Cheat Engine Licence B. OpenCandy End User License Agreement [/b]A. Cheat Engine Licence 1) This license agreement is a legal, ClassName = TRichEditViewer. ...
Look! it is trying to install some cheat tool too and look at the blue part, there is opencandy mentioned. When I scan this file avast say it is clean.

Avast PUP detection is default off exept for in boot scan … have you turned on PUP detection in the scan you are doing?

EDIT: This seems to be android related, is that correct? …if so you may post in Android forum section

Scan found at virustotal is 3 months old, run a fresh scan
https://www.virustotal.com/en/file/86494160cfaff590dab60f23e36350b34c0bb725dd09e93cf6202ae395f54eff/analysis/

Hi rikyyeung,

Thanks for the heads-up on this one.
I think this is describing the detection problem here * if any: http://camas.comodo.com/cgi-bin/submit?file=86494160cfaff590dab60f23e36350b34c0bb725dd09e93cf6202ae395f54eff
Verdict
Auto Analysis Verdict
Unexecutable → htxp://u.xunzai.com/fileview_1554058.html *
See: http://www.wgpremium.cn/clean-mx/viruses.php?virusname=AdWare.AndroidOS.Uapush&sort=id%20DESC
Missed here: https://www.virustotal.com/nl/file/86494160cfaff590dab60f23e36350b34c0bb725dd09e93cf6202ae395f54eff/analysis/
and here: https://www.virustotal.com/nl/file/27ab91c08204b0061433b374808009a7fe3fe8010a2b4f5ccb866eac9ce00919/analysis/
varient of Trojan.Pramro, Mal/TinyDL-T aka MSIL aka Trojan-Dropper.MSIL.
Adware has been up and active for over 9668.2 hrs.
IDS alert from source: Suricata /w Emerging Threats Pro
Timestamp Severity Source IP Destination IP Alert
2014-10-22 16:18:44 3 221.179.190.56 urlQuery Client FILEMAGIC Zip archive data

polonus

The PUP detection have been turned on. Not even Malwarebytes give a detection of this?
I mean if you see here http://r.virscan.org/report/f8cbe340b2e64ad673ea6fa3bd4ad706, all missed the opencandy adware.

EDIT: This seems to be android related, is that correct? .....if so you may post in Android forum section
Isn't opencandy an adware for window?

I think it is a cross platform now … toolbar, ad popups, searc engine crap

It is good rickyyeung posted it here the more as inside Google Chrome PC and Android Apps are slowly integrating and the difference get even more blurred, with persisitent malware that is so long up and active and generally undetected (there also may be an mail-component involved
(OVERDUE! 9668.2 hrs.) it can go here and on the android forum section.
SOPHOS did an extended analysis of Open Candy here: http://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OpenCandy/detailed-analysis.aspx
About MalSign.OpenCandy.7AF variant.
The funny thing is that AVG detects Avast’s file aswRec.dll as malware as well. This will probably be fixed soon. It’s a false positive. If you keep getting notifications about this threat in Avast’s folder, simply reboot your computer in SAFE MODE: Full path: Program Files/Avast Software/Avast/aswRec.dll. However, other threats that you may get are likely to be real and not false positives.
The user plays an active part in installing this crap, because for this malware to attack your machine you need to install the server part of the application. It also often comes bundled. As said the infection is also commonly spread via email attachments and infected websites.
Removal should be done under guidance of a qualified removal expert. Info source: deletemalware Admin.

pol