Development tools infected?

Question

My antivirus program (CA Anti-Virus) just started reporting the existence of "AndroidOS/SMSTroj.D!generic" in a few of the .dex files generated for my Android projects in Eclipse. (I'm not writing malware!)

Has anyone else seen anything similar?

Is my development environment infected somehow, or is this a false positive? How can I verify and, if it's real, disinfect my system?

I haven't found any info about this trojan (the CA site reports no info). Does anyone have pointers to info about this (in particular about disinfecting the development environment)?

I would suggest contacting security@android.com. I suppose it's conceivable that some other virus/malware infected your development environment, though that would seem to break ground on a couple of fronts. — CommonsWare, Feb 03 '12 at 22:48
@CommonsWare - Good suggestion; I'll do that. Meanwhile, I have some more info: none of Microsoft Security Essentials, Norton Anti-Virus or Avast are complaining about these particular files. For now, I'm treating this as a false positive and I'll contact CA as well. The timing is suspicious, though; all the files were produced after updating to the latest Android tools. — Ted Hopp, Feb 05 '12 at 00:51

score 2 · Accepted Answer · answered Feb 06 '12 at 22:48

Contacting CA does seem like a good idea, but it might also be interesting to create a blank/hello world app and clean/rebuild the dex files a few times and see if anything picks up. Somehow I doubt a virus would try to parse your program and see what it's doing (other than perhaps permissions of the manifest, I guess you could copy over those from your "infected" project) so a build of any dex I would think should give you the same results. I suspect it's a false positive too. If it comes through clean you can slowly add a few classes at a time from your "infected" project and narrow it down that way.

After a lot of experimenting along these lines, I agree that this is a false positive. — Ted Hopp, Jun 24 '12 at 20:41

score 0 · Answer 2 · answered Feb 03 '12 at 21:41

0

Yes its a TROJAN. Have a look here.

https://www.virustotal.com/file/dcf44f7262682ec2274829e6a14dfde470ca60dc1fbb2b76ff1053230ae305c2/analysis/1323302988/

answered Feb 03 '12 at 21:41

Shankar Narayana Damodaran

68,075
43
96
126

1

That web page doesn't do much more than list the names of known malware. I already know that it's the _name_ of a trojan. The question is whether this is for real or a false positive. – Ted Hopp Feb 05 '12 at 00:45

Development tools infected?

2 Answers2