This file has 16 detections, is it safe to install it? (reddthat.com)

submitted 1 year ago* (last edited 1 year ago) by Aresff@reddthat.com to c/piracy@lemmy.dbzer0.com

15 comments fedilink hide all child comments

https://www.virustotal.com/gui/file/a64ef85085e7db98244dd2128b2674f02e7fd0dff3ba393525edeedcb5ad6044/detection

I downloaded it from androeed.ru, which is in the megathread. However, it has 16 detections, and it's labled trojan, and I never used androeed.ru before, so idk how trustable it is.

Still I'm tempted to install it since sandbox found no Network comms. But I'm new to piracy so I think I should ask here first.

Thanks for replying! Edit to provide a bit more info:

This is a mod apk file for a paid game called sproggiwood, so I thought it would be normal to drop files like /libandroeedru.so, you know, to unlock game or something.
The site androeed.ru is in the 2nd place in "Android Cracked/Modded App Markets & Repos" list, right after mobilism, so I thought it was a famous piracy site as well. (I'm new to piracy, so idk. Is it famous?)
This file was uploaded to androeed at 2020, which means if it is indeed malicious, the site is unsafe since 2020, so it should be removed from megathread long time ago. Is the megathread that outdated?
Trojan means it steals info via internet. And virustotal said it only contacted 5 domains: 1: clientservices.googleapis.com 2: connectivitycheck.gstatic.com 3: gmscompliance-pa.googleapis.com 4: gstatic.com 5: infinitedata-pa.googleapis.com Does this mean the detections are false positives or am I missing something?

I'm at a loss. Please help! Thank you very much.

top 15 comments

sorted by: hot top controversial new old

[-] glad_cat@lemmy.sdf.org 36 points 1 year ago

A russian file labeled as a trojan? It must be perfectly safe. Or at least you’ll learn a valuable lesson.

[-] Aresff@reddthat.com 1 points 1 year ago

Are russian files more likely to be malicious? I'm curious.

[-] glad_cat@lemmy.sdf.org 3 points 1 year ago

In the past (I.e. 90s to 2000), very yes. Nowadays I don’t know, but with the war and the spying stuff, I would still avoid such sources.

[-] thelonelyghost@infosec.pub 21 points 1 year ago* (last edited 1 year ago)

This reads the same as "hi, my friend saw my {dating app} date's photo up at the post office with the note that they were wanted for the murder of 16 different {my demographic}. Should I still go on a date with them to that remote cabin in the woods?"

[-] phx@lemmy.ca 6 points 1 year ago

From a .RU site no less...

[-] Aresff@reddthat.com 1 points 1 year ago* (last edited 1 year ago)

Yeah. It's a lot safer to go on a date with someone who was wanted for the murder of just 1 or 2 different persons to that remote cabin in the woods, isn't it? :D

[-] Pulp@lemmy.dbzer0.com 12 points 1 year ago

Find another source

[-] Aresff@reddthat.com 1 points 1 year ago

I searched the entire list of "Android Cracked/Modded App Markets & Repos" but unfortunately no other site has this 1.3.2 modded version.

[-] binboupan@lemmy.kagura.eu 9 points 1 year ago

They seem to drop a library file not existing in the original apk in the filesystem:
/data/app-lib/com.freeholdgames.sproggiwood-1/libandroeedru.so
I wonder what is its' purpose..

[-] Aresff@reddthat.com 1 points 1 year ago

I'm curious too. Since it has the same name as the site and the site is in the megalist, could it be safe?

[-] binboupan@lemmy.kagura.eu 1 points 1 year ago

probably to inject ads or toast messages when you launch the game

[-] OsrsNeedsF2P@lemmy.ml 3 points 1 year ago

Malicious files can still be uploaded to trusted sites, but in general apks are well sendboxed so it's difficult to get a trojan on a non-rooted, up to date Android phone.

What is the apk supposed to be for?

[-] Aresff@reddthat.com 1 points 1 year ago

It's a mod apk file for the game sproggiwood 1.3.2. The file seems to be modded by the site itself though, so if it's malicious I guess the site is not trustable.

[-] Flatworm7591@lemmy.dbzer0.com 2 points 1 year ago

There's a decent write up on how Android 'dropper' malware functions here. TLDR - while the APK may be clean, it tries to trick you into installing a malware infected APK later in the install process or during a fake update.

[-] Aresff@reddthat.com 1 points 1 year ago

Thanks. That dropper function looks dangerous. However, the first dropper campaign spotted by Threat Fabric at the beginning of October 2022, and this file was uploaded at 2020, so even if it's indeed malicious, it's probably a different bad guy I guess.