FS Protection Android Multiple Incident Reports

I HAVE no idea why I hadn't noticed this before but, this is one of the first contents I attempted to post. But aside from strange, I'll post it for thebs a ke of record, since it is detailed.

 

BELOW IS OLD,WAS VALID BEFORE ACTUAL FIRST POST. IT DOES OR I hope it does give some answers to questions asked.

    __________________

/]OLDDRAFT BELOW [\

''""""""""""""""""""""""""""""""""''

FS-PROTECTION

Version: 17.1.9013613 FS_PROT

Scanner Buold: 1.3.233800

IAB Version: v1.0-102-g9c4951f

Browser Version: 2.0-386-gc929c78

Web Engine Version: 60.0.3112.116

LORSP Client Version: 0.1-62-g91d0641

Owner: 741a1481c2761ef2

LICENCEkey: MASKED-PRIVATE

GCM: 14

 

TIME LINE Of EVENTS

 EVENT

Antivirus identified Type Infection

Application, New wars

Package Name, net.microtable.neowars

Problem detected, TR/Crypt.XPACK.Gen

Size, 59024.9 KB

 

This game has been on my phone for quite some time and HAS NOT BEEN UPDATED. Also double checked with EAV-AM (Emsisoft), says it is clean. Google play scan, Clean. So, unless I am given any instruction, It may or may not be a false positive. I would still like further investigation due to the following.

 

NEXT

4 days ago I downloaded from aptoid 2 games, very small and only kept 1. Within the last 9 days I've downloaded from playstore, Network security (This App is terrible), Netstat, (Not great, but not bad app), Wi-Fi Warden, (Don't like it AT ALL), Mobiwol, (This is actually user friendly for a firewall like app, But as fare as the definition of firewall, it is not a firewall), NetPatch Firewall, (Not bad with options Customizations for cross platform integration with extention fields built in for a REAL proxy not just a VMVPN, it's not HIPS, but I'm liking it)... All of which to my knowledge are clean.

 

I bought my Samsung Verizon Galaxy Note 5 a few months ago, refurbished. It might at one point have been rooted, doesn't say though it was according with starting from boot prompt with PWR, HOME, VOL-UP, but I rooted at least a dozen samsungs, an LG,  and NOT A SINGLE ONE OF THEM triggered KNOX, Nor had significant issues with Google framework and still worked with Verizon cloud (Took me literally going to a corporate store to prove my device was rooted because they didn't believe me before) but I've had AT&T telecom not believe me for reasons I'd rather mention, but the whole non-disclosure has me by the hair, which led to contributor status, and other physical events attended I cannot reveal

So with that said, sometimes (almost daily), device wifi turns on/off by itself, (so does another 2 devices on same Wifi, but NOT all devices do this, and they are all samsung hold, a Google Plus, and a iPhone 7+), Also, sometimes settings are changed, don't notice it until later but fact is, settings sometimes various reasons do that from Updates, restarts, wakelock, and rarely, infection, more rarely, RAC/RAT/RCD, etc. Knowing these things, I have checked with restarting phone, AV checks, and most recently, logging as much as possible

 

2Days ago FS Protection AV was looped at file, "base.apk", I waited hours and no change. Restarted phone, restarted scan, it looped again, same file, so no change, Stopped the scan but since within the app it didn't to the stop tap, (the app it self still had ability to navigate options),  I used Samsung Package Disabler Pro (Paid) to force close it, and re-open.

 

END DRAFT FROM OLD POST.

Comments

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

    EVENT
    Antivirus identified Type Infection
    Application, New wars
    Package Name, net.microtable.neowars
    Problem detected, TR/Crypt.XPACK.Gen
    Size, 59024.9 KB

    I found with Google Search -> 'net.microtale.neowars' under Google Play store. Which probably is this one (just 'mistake' with getting package name from screen in your quote). If not and your package name was with certain view from quote -> maybe it was indeed tricky one.

    I tried to ask F-Secure Labs with F-Secure SAS: https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-url

    I will back - if I will receive any replies.

     

    FS Protection AV was looped at file, "base.apk",

    It should be with scanning process... and most likely base.apk can be with pretty large size.

     

    But - not sure - that it should be with hours (!!) anyway.

    I'm also with experience about scanning two items long time (minutes). And also able to repeat 'stop scan'-delay reaction. But with my own experience -> after some 'seconds' (close to minute) scan is canceled. Maybe there is trouble based on size of such .apk-files.  And mainly I able to suspect (or clearly see) what is application with such .apk-file (with my experience);

     

    If with your experience - unknown what is "base.apk" - probably there is not clear potential steps.

     

    Thanks!

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

     

    Reponse from F-Secure Labs about :

    'net.microtale.neowars' 

    that it was false positive and with current databases - such application should not trigger detection (?!). do you able to confirm it?

     

     

    Thanks!

  • ErrorHazard
    ErrorHazard Posts: 9 Observer

    I wrote a post but had problems unrelated to F-Secure, ... with the process I was using to gather details for post, ... and im out of time so,  I'm going to summarize. 

     

    When 2 or more agree or have  an opposing view to mine, have reference, and are not bias, I make it a point to reconsider my own perspective,  and by comparative analysis, in this case,  I conclude I may very well or must be wrong.

     

    With that said, even if it is not needed, I am embarrassed for behaving with such arrogance, I formally apologize for my haste and am humbly at your insrruction.

     

    @Ukko : Thank you for your time and attentions you spent with my reports. You were pointing me in the right direction,  you had searched and gave example of reference and that is what I have ALWAYS considered the greatest way to support,  I am grateful. I will be more receptive to your comments in the future.

     

    SUMMERY

    In my revisiting neowars I decided this time to assume it is a test to find the line(s)  of code,  or least events that would prove it is or appears infected or modified so, I went digging. 

     

    Using CFR method  I got some informarion that did look suspicious,  very much so that it did not belong in a game,  and the Archive structure also had a suspicious additional library.  I will post details as soon as I can figure out why the heck copy and pasteing the code left out specific parts of the code

     

    So, I disabled the "game"and force closed.  Which leadme ask something I can't believe I hadn't noticed right away,   I never in my life thought would ever at all be a thing,  WHEN DID AND WHY IS,  there NO QUARANTINE? 

     

    That's weird,  but so am I so I guess that's why I'm here,  (compatible).  Lol

     

    I'll post the details as soon as I tackle the problem of copy\Paste and have some time.

  • ErrorHazard
    ErrorHazard Posts: 9 Observer

    Hi, ant information from me is LONG OVER past due. I would say its the holidays but even so,  my apologies. 

     

    back to NEOWARS...

     

    I WAS going to start a forensic post here in its code however, I'm a bit curious as to this, FS Protect no longer detects Neowars as a risky application. I have not updated it as I had said it was disabled.  (I'm able to disable applications even if where the disable frame only has uninstall,  and does not have disable option, using a wonderful application called "Samsung Package Disabler Pro", by, "Android Police" (I think that is who its by,  if someone asks me,  I will check because that means someone is interested in it.).

     

    Well since the game is no longer disabled, and FS Protect doesn't detect it as a risky app, I am not going to remove it, however, I am going to keep an eye on it as it has caused this attention.

This discussion has been closed.