com.android.sdksandbox infection, but file can not be removed

desperado
desperado Posts: 8 Explorer
edited December 13 in Web Browsing

Hello,

F-Secure reports an infection, but the file can not be removed. Please see screenshots.

After pressing OK nothing changes. So the file still seems to be on the smartphone with its defection. Any idea why F-Secure is not able to remove it? I checked if the app suffers any limitations to access and delete files, but I don not find any 'allow to delete files'.

Thank you in advance.

Accepted Answer

  • PawełP
    PawełP Posts: 396 Moderator
    Answer ✓

    Hello @desperado & @Ukko

    I would like to inform you that our technicians have carefully examined this file and it turns out that there is a case of false positive. This means that this file does not pose a threat to the device.


    Soon, with the program update, the threat message from this file will stop appearing.

    Have a good one!

    Pawel

    Making every digital moment secure, for everyone


Answers

  • PawełP
    PawełP Posts: 396 Moderator

    Hello @desperado

    We welcome you to our forum and thank you for your comment.

    Our security department has checked this application.

    The application is using dev/testing signature plus package name. This makes it a suspicious application and may not be secure. Therefore, we recommend its removal.

    Please check if this application is still in the list of installed applications on your device. If so, remove it manually. Here is a link on how to remove the app from your Android device:

    Delete apps on your Android device - Android Help (google.com)

    From our side, we would like to ask you to tell us what version of F-Secure you are using on this device and what version of Android you have installed.

    And also, what happens if you go back from the scan details view to the AV view (main view of our app), does it also show the infection still? If AV view shows the "infection found" and you click that, what happens then?

    This will help us figure out why this app was not removed from the scan level.

    Best regards.

    Pawel

    Making every digital moment secure, for everyone


  • desperado
    desperado Posts: 8 Explorer
    edited April 17

    Dear @PawełP

    my device is partially de-googled, please look at the screenshots. I do not find any app like 'sdksandbox' or similar that could be installed easily via Google Playstore. Seems to me that it is a system app and came with my android OS (I installed months ago) and was either modified days ago and/or was recognized by f-secure for any reason. I do not see how I could deinstall this app or remove the possibly infected file.

    I wonder why f-secure is not able to remove. I expected that f-secure can remove/delete ANY file or app that seems to be infected… Android version 13

    Edit: PII removed

  • desperado
    desperado Posts: 8 Explorer
    edited April 17

    Dear @PawełP

    my device is partially de-googled, please look at the screenshots. I do not find any app like 'sdksandbox' or similar that could be installed easily via Google Playstore. Seems to me that it is a system app and came with my android OS (I installed months ago) and was either modified days ago and/or was recognized by f-secure for any reason. I do not see how I could deinstall this app or remove the possibly infected file.

    I wonder why f-secure is not able to remove. I expected that f-secure can remove/delete ANY file or app that seems to be infected… Android version 13

    Thank you.

    Edit: PII removed

  • desperado
    desperado Posts: 8 Explorer
    edited April 17

    Hello @PawełP

    thank you for trying to help.
    (The title of the post should be 'com.android.sdksandbox infection…', but I do not see how to correct it after having opened the post)

    My device is a partially de-googled device. I installed and set it up months ago.

    com.android.sdksandbox seems to be a system app. I do not see how I could de-install. I do not see why it is marked by f-secure to be infected because i did not install something like 'sandbox' in the past days. I wonder why f-secure is not able to delete/remove infected files/apps, no matter if it is part of the system or not. At least I would expect a message WHY f-secure was not able to remove.

    Please see the screenshots for further information about the versions. Android version 13

    Thank you!

    Edit: PII removed

  • Ukko
    Ukko Posts: 3,768 Superuser

    Hello,

    I am only an F-Secure user. Since it is a potentially system app. Maybe it is impossible to uninstall or to remove from a device. Maybe there is an option to "stop" it or "disable" in a way. I am not sure why F-Secure app will suggest to uninstall it and do not inform about any failures. Also, why the app is detected. Likely if you will disable it - F-Secure will stop to detect it.

    However, I cannot surely recommend that way. Since "sdk" maybe means something important. And there is a web discussion on the web: https://github.com/GrapheneOS/os-issue-tracker/issues/2656

    GrapheneOS is an alternative Android rendition, perhaps.

    Also, I puzzled why there is no certain detection name about 'app'. But instead "Infection" wording.

    I think something within "com.android.sdksandbox" is actually detected (not entirely 'com.android.sdksandbox'). And this is a reason why F-Secure cannot delete/remove/disable it.

    Let's think about "com.android.sdksandbox" as about container. A certain piece in that container is known to F-Secure app as 'malicious' or 'dangerous' (maybe false positively, though). F-Secure app cannot delete or remove only this piece from entire container.

    Otherwise, I will expect a certain 'detection' name for application or service. Not just "infection" type. Maybe internal logs in app may show something about - and if so - good if F-Secure official team will contact you and assist further on this subject.

    Thanks!

  • desperado
    desperado Posts: 8 Explorer
    edited April 21

    Hello @PawełP

    thank you for trying to help.
    (The title of the post should be 'com.android.sdksandbox infection…', but I do not see how to correct it after having opened the post)

    My device is a partially de-googled device. I installed and set it up months ago.

    com.android.sdksandbox seems to be a system app. I do not see how I could de-install. I do not see why it is marked by f-secure to be infected because i did not install something like 'sandbox' in the past days. I wonder why f-secure is not able to delete/remove infected files/apps, no matter if it is part of the system or not. At least I would expect a message WHY f-secure was not able to remove.

    Please see the screenshots for further information about the versions.

    Thank you!

  • desperado
    desperado Posts: 8 Explorer

    Hello Ukko,

    thank you for sharing your thoughts.
    Yes, first reaction of F-Secure support was 'possibly false positive'. They are still analyzing. This is the first time that F-Secure reported something suspicious on my Android device, so I do not know if they usually tell more except 'infection'. I will wait for their answer for a few days and then try another scanner.

  • PawełP
    PawełP Posts: 396 Moderator

    Hello @desperado

    We collected all the information you sent us. At the moment, the case is being thoroughly investigated by our security department. We want to take a close look at it and determine how to solve this problem.
    As soon as I receive information about the progress I will report it on the forum. Thank you for your patience.

    Best regards.

    Pawel

    Making every digital moment secure, for everyone


  • desperado
    desperado Posts: 8 Explorer

    Dear Pawel,

    thank you for keeping us informed.

  • desperado
    desperado Posts: 8 Explorer

    Dear Pawel,

    great, thank you. We can close this issue.

    Kind regards

  • 3mrbojangles3
    3mrbojangles3 Posts: 2 Observer

    This thread isnt very helpful because it was never answered. What was the determination from the investigation?

  • 3mrbojangles3
    3mrbojangles3 Posts: 2 Observer

    I retract my statement lol. I assumed the comments were in chronological order but I see your response under the initial question. Sorry, carry on lol

This discussion has been closed.
Feedback on New Design