Fake virus report of "Andriod/Trojan.Dropper.Agent.CEV" with qiku cert

[watcher]

Hi sir,

 

It seems Malwarebytes get fake virus report for app signed with our company's cert: "testkey/emailAddress=android@qiku.com", please check attachment for test.

 

any apk file + testkey cert = Andriod/Trojan.Dropper.Agent.CEV

 

Please help thanks.

 

--------------------------------------

 

Cert information:

EMAILADDRESS=android@qiku.com, CN=testkey, OU=Qiku, O=Qiku, L=ShenZhen, ST=GuangDong, C=CN

MD5: CA:57:D0:DD:23:93:A7:CC:CF:95:74:85:4E:11:7E:9D

SHA1: F7:02:01:60:B4:96:AE:66:34:DF:AE:2E:60:B3:6E:56:0D:D3:84:0B

SHA256: D1:24:82:54:9C:80:F8:B2:3F:67:E0:94:05:F6:BD:50:E5:94:1B:3E:A5:A0:AF:5E:77:92:6F:0E:92:72:3B:3E

 

 

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            d8:a6:f8:31:66:e2:19:9e

    Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=Qiku, OU=Qiku, CN=testkey/emailAddress=android@qiku.com

        Validity

            Not Before: Jan 27 02:59:12 2016 GMT

           Not After : Jun 14 02:59:12 2043 GMT

        Subject: C=CN, ST=GuangDong, L=ShenZhen, O=Qiku, OU=Qiku, CN=testkey/emailAddress=android@qiku.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:d5:0c:64:fa:7b:32:1a:ab:d1:7a:39:73:4d:1c:

                    0b:67:62:f4:6d:94:2a:6c:ea:a2:5f:d2:0f:12:84:

                    27:eb:70:26:b9:eb:8b:75:64:f7:0b:d4:b0:b7:18:

                    b3:78:13:15:95:51:69:52:01:12:1d:e0:19:41:23:

                    62:a7:f6:3f:65:fc:01:53:c2:f4:54:a8:4c:e6:be:

                    68:7f:51:3f:09:64:a0:84:61:63:41:81:8f:e6:0a:

                    aa:34:b8:04:ad:e0:9e:a2:a3:a5:8b:4b:07:38:e4:

                    94:a4:dd:30:d9:a9:a2:1e:f3:b0:7b:e0:5e:98:7b:

                    0b:e9:d5:da:cb:bf:85:f1:ea:f4:5d:00:e0:cb:49:

                    7f:18:68:8d:94:ea:69:73:ab:76:10:34:20:f7:95:

                    d6:8e:b7:a3:60:7c:dc:fe:3b:a8:c6:ac:76:9e:62:

                    61:75:58:72:e7:45:bf:18:74:8f:be:80:58:25:49:

                    51:b2:f5:24:42:c1:a9:d3:64:e4:2a:c2:36:af:b2:

                    06:71:a9:94:c8:b3:10:dd:de:61:61:1e:5a:35:55:

                    1e:2c:f2:a6:63:f4:49:0c:f5:7f:f6:8b:a7:34:ae:

                    02:6b:98:02:0b:06:fe:e9:6f:93:5b:f6:8b:b4:08:

                    0a:e5:0c:a3:63:f6:7a:a8:22:77:bd:9e:c2:02:1b:

                    83:e1

                Exponent: 3 (0x3)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                69:F6:FE:6C:40:29:7F:4B:C1:BE:F9:94:5C:4D:BF:78:5D:66:7F:A8

            X509v3 Authority Key Identifier:

                keyid:69:F6:FE:6C:40:29:7F:4B:C1:BE:F9:94:5C:4D:BF:78:5D:66:7F:A8

 

            X509v3 Basic Constraints:

                CA:TRUE

    Signature Algorithm: sha1WithRSAEncryption

         1c:f7:e0:8c:72:b6:f6:fa:db:10:d9:76:00:d0:dc:19:39:f8:

         a6:54:9e:b8:5d:f2:b9:92:93:9b:ea:3b:9b:a2:4a:27:e5:24:

         5d:f3:00:f4:f9:7a:55:ae:1d:21:9b:fd:66:8e:a9:90:d4:75:

         1b:41:41:e3:d4:84:23:bf:9b:e5:4d:cf:31:ef:8e:45:ff:fa:

         7f:a9:c1:2c:e8:7d:93:2a:e1:e8:78:c3:3f:e2:38:66:12:ac:

         eb:66:0f:41:68:d9:d0:b4:7a:7c:91:eb:74:15:c3:cc:ce:cb:

         4a:ea:a1:52:41:25:c3:62:0a:19:3c:6b:31:fd:bc:a3:ac:d5:

         f5:c4:81:ba:bb:cc:ab:41:14:26:53:a5:ed:43:8e:48:6f:ae:

         e2:5e:82:0b:15:ce:f3:af:a8:f3:f9:e5:46:e6:2d:da:a8:b1:

         ae:52:58:09:17:38:8f:94:cc:5c:5f:5f:90:58:27:50:c0:eb:

         ed:2c:7a:94:c0:f1:cf:28:e4:b9:08:f3:e4:e4:1a:d2:33:c2:

         df:92:0c:92:d7:39:61:7d:71:d2:d9:c6:c5:de:a3:39:f9:8d:

         63:c4:61:80:ad:6b:d2:fc:ad:0e:ba:d3:bf:cb:89:0c:81:55:

         dc:56:72:11:f5:dd:2b:21:a4:db:e0:e9:96:ef:c4:03:d2:9b:

         c5:0e:8c:bb

example.com.myapplication.zip

[mbam_mtbr]

Hi @watcher,

Thanks for bringing this to our attention.  This issue has been resolved and will no longer be detected in future database versions.

Thanks again,

Nathan