Jump to content
watcher

Fake virus report of "Andriod/Trojan.Dropper.Agent.CEV" with qiku cert

Recommended Posts

Hi sir,

 

It seems Malwarebytes get fake virus report for app signed with our company's cert: "testkey/emailAddress=android@qiku.com", please check attachment for test.

 

any apk file + testkey cert = Andriod/Trojan.Dropper.Agent.CEV

 

Please help thanks.

 

--------------------------------------

 

Cert information:

EMAILADDRESS=android@qiku.com, CN=testkey, OU=Qiku, O=Qiku, L=ShenZhen, ST=GuangDong, C=CN

MD5: CA:57:D0:DD:23:93:A7:CC:CF:95:74:85:4E:11:7E:9D

SHA1: F7:02:01:60:B4:96:AE:66:34:DF:AE:2E:60:B3:6E:56:0D:D3:84:0B

SHA256: D1:24:82:54:9C:80:F8:B2:3F:67:E0:94:05:F6:BD:50:E5:94:1B:3E:A5:A0:AF:5E:77:92:6F:0E:92:72:3B:3E

 

 

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            d8:a6:f8:31:66:e2:19:9e

    Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=Qiku, OU=Qiku, CN=testkey/emailAddress=android@qiku.com

        Validity

            Not Before: Jan 27 02:59:12 2016 GMT

           Not After : Jun 14 02:59:12 2043 GMT

        Subject: C=CN, ST=GuangDong, L=ShenZhen, O=Qiku, OU=Qiku, CN=testkey/emailAddress=android@qiku.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:d5:0c:64:fa:7b:32:1a:ab:d1:7a:39:73:4d:1c:

                    0b:67:62:f4:6d:94:2a:6c:ea:a2:5f:d2:0f:12:84:

                    27:eb:70:26:b9:eb:8b:75:64:f7:0b:d4:b0:b7:18:

                    b3:78:13:15:95:51:69:52:01:12:1d:e0:19:41:23:

                    62:a7:f6:3f:65:fc:01:53:c2:f4:54:a8:4c:e6:be:

                    68:7f:51:3f:09:64:a0:84:61:63:41:81:8f:e6:0a:

                    aa:34:b8:04:ad:e0:9e:a2:a3:a5:8b:4b:07:38:e4:

                    94:a4:dd:30:d9:a9:a2:1e:f3:b0:7b:e0:5e:98:7b:

                    0b:e9:d5:da:cb:bf:85:f1:ea:f4:5d:00:e0:cb:49:

                    7f:18:68:8d:94:ea:69:73:ab:76:10:34:20:f7:95:

                    d6:8e:b7:a3:60:7c:dc:fe:3b:a8:c6:ac:76:9e:62:

                    61:75:58:72:e7:45:bf:18:74:8f:be:80:58:25:49:

                    51:b2:f5:24:42:c1:a9:d3:64:e4:2a:c2:36:af:b2:

                    06:71:a9:94:c8:b3:10:dd:de:61:61:1e:5a:35:55:

                    1e:2c:f2:a6:63:f4:49:0c:f5:7f:f6:8b:a7:34:ae:

                    02:6b:98:02:0b:06:fe:e9:6f:93:5b:f6:8b:b4:08:

                    0a:e5:0c:a3:63:f6:7a:a8:22:77:bd:9e:c2:02:1b:

                    83:e1

                Exponent: 3 (0x3)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                69:F6:FE:6C:40:29:7F:4B:C1:BE:F9:94:5C:4D:BF:78:5D:66:7F:A8

            X509v3 Authority Key Identifier:

                keyid:69:F6:FE:6C:40:29:7F:4B:C1:BE:F9:94:5C:4D:BF:78:5D:66:7F:A8

 

            X509v3 Basic Constraints:

                CA:TRUE

    Signature Algorithm: sha1WithRSAEncryption

         1c:f7:e0:8c:72:b6:f6:fa:db:10:d9:76:00:d0:dc:19:39:f8:

         a6:54:9e:b8:5d:f2:b9:92:93:9b:ea:3b:9b:a2:4a:27:e5:24:

         5d:f3:00:f4:f9:7a:55:ae:1d:21:9b:fd:66:8e:a9:90:d4:75:

         1b:41:41:e3:d4:84:23:bf:9b:e5:4d:cf:31:ef:8e:45:ff:fa:

         7f:a9:c1:2c:e8:7d:93:2a:e1:e8:78:c3:3f:e2:38:66:12:ac:

         eb:66:0f:41:68:d9:d0:b4:7a:7c:91:eb:74:15:c3:cc:ce:cb:

         4a:ea:a1:52:41:25:c3:62:0a:19:3c:6b:31:fd:bc:a3:ac:d5:

         f5:c4:81:ba:bb:cc:ab:41:14:26:53:a5:ed:43:8e:48:6f:ae:

         e2:5e:82:0b:15:ce:f3:af:a8:f3:f9:e5:46:e6:2d:da:a8:b1:

         ae:52:58:09:17:38:8f:94:cc:5c:5f:5f:90:58:27:50:c0:eb:

         ed:2c:7a:94:c0:f1:cf:28:e4:b9:08:f3:e4:e4:1a:d2:33:c2:

         df:92:0c:92:d7:39:61:7d:71:d2:d9:c6:c5:de:a3:39:f9:8d:

         63:c4:61:80:ad:6b:d2:fc:ad:0e:ba:d3:bf:cb:89:0c:81:55:

         dc:56:72:11:f5:dd:2b:21:a4:db:e0:e9:96:ef:c4:03:d2:9b:

         c5:0e:8c:bb

example.com.myapplication.zip

Share this post


Link to post
Share on other sites

Hi @watcher,

Thanks for bringing this to our attention.  This issue has been resolved and will no longer be detected in future database versions.

Thanks again,

Nathan

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.