Headwind Remote for Android is detected as Android/Trojan.Agent.gx

[vmayorow]

Hi,

Headwind MDM is the open source mobile device management system for Android. Recently, our users complain that one of the Android modules, the remote access module, is detected as a trojan. 

Here's the link:

https://headwind-remote.com/files/hremote-1.35-premium.apk

 

Our software is "open core" and the source code of the APK is available on github: 

https://github.com/h-mdm/remote-control-android

  The source code of that particular APK (full version) could also be provided on demand, it is available in a private repository.

Recently, we have ordered the source code review by an independent cybersecurity company. They thoroughly inspected the source code and found no malicious code, however they noted MalwareBytes and Eset trigger malware alerts. They reported two possible reasons: a trojan injection at build stage (unlikely) and a similarity to a GoatRat trojan which was apparently created by using our open source code base. The report is available here:

https://headwind-remote.com/files/HeadwindMDM-NTF-06-18-2023_Final_Rev2.pdf

 

How could we proceed to fix the issue?

Edited June 21, 2023 by AdvancedSetup
Disabled hyperlink

[vmayorow]

Sorry, the report link is: 

https://headwind-remote.com/HeadwindMDM-NTF-06-18-2023_Final_Rev2.pdf

  (couldn't update the initial post).

Edited June 21, 2023 by AdvancedSetup
Disabled hyperlink

[Porthos]

The IP is blocked. Staff will investigate.

The VT link for the apk. https://www.virustotal.com/gui/file/c407b3dc59e7b8ab357844dfc512bc1057c246f334200ebe0ffc0fd139b31aac?nocache=1

Category: Malware
Domain:
IP Address: 77.222.59.36
Port: 80
Type: Outbound
File: C:\Program Files\Mozilla Firefox\firefox.exe

 

 

 

Edited June 21, 2023 by Porthos

[BjelakovicL]

Hi,

Domain block will be removed.

[mbam_mtbr]

Hi @vmayorow,

Thanks for reaching out!  I went ahead and removed the detection.  It will no longer be detected in future database versions.

However, looks like many other vendors are still finding this as GoatRat as the PDF you sent states:  https://www.virustotal.com/gui/file/c407b3dc59e7b8ab357844dfc512bc1057c246f334200ebe0ffc0fd139b31aac/detection

 

[vmayorow]

Thank you for reviewing our mobile application and I'm happy you confirm that Headwind Remote is clean and safe! 

I know that some other vendors still finding Headwind Remote as malware and I wonder how could I prevent this. We already got a clean report from a few of them (latest VirusTotal report shows 10 warnings whereas it had been 12 a week ago).

I would acknowledge if you give me any hints how the issue could be fixed globally. Do you know / use any open malware repositories containing malicious code samples where GoatRat could be stored?

[mbam_mtbr]

2 minutes ago, vmayorow said:

Thank you for reviewing our mobile application and I'm happy you confirm that Headwind Remote is clean and safe! 

I know that some other vendors still finding Headwind Remote as malware and I wonder how could I prevent this. We already got a clean report from a few of them (latest VirusTotal report shows 10 warnings whereas it had been 12 a week ago).

I would acknowledge if you give me any hints how the issue could be fixed globally. Do you know / use any open malware repositories containing malicious code samples where GoatRat could be stored?

Private Message already sent before I even read this. 😉

[vmayorow]

Thank you very much for the information! It is clear now that GoatRat is based on Headwind Remote's open source, and the code similarity caused multiple false detections of Headwind Remote.