Android Question [closed] Obfuscator generates strings that may be detected as virus false positives?

The salt used during string obfuscation changes every compilation. The output is completely different each time.

Erel said:

The salt used during string obfuscation changes every compilation. The output is completely different each time.

Click to expand...

Multiple attempts to compile slightly modified modules did not bring any improvement.

Even an apk file without obfuscation received a false positive.

A review of older versions in the Playstore revealed something interesting.

An apk file from October 2022 was downloaded from the Playstore and scanned with Virustotal - everything OK.

All other versions available in the Playstore (apk and aab files) from November 2022 onwards give a false positive.

Now I need to find out what was changed in the period October - November 2002 (within the app or on Google side).

I will now disable some libraries individually to further narrow down the problem.


Library1 = ah_checkinternet
Library2 = ajwebkit
Library3 = aspopupmenu
Library4 = b4xencryption
Library5 = b4xpreferencesdialog
Library6 = bctextengine
Library7 = bctoast
Library8 = byteconverter
Library9 = convertimage
Library10 = core
Library11 = dateutils
Library12 = encryption
Library13 = firebaseanalytics
Library14 = firebasenotifications
Library15 = googleplaybilling
Library16 = ime
Library17 = json
Library18 = network
Library19 = phone
Library20 = randomaccessfile
Library21 = reflection
Library22 = runtimepermissions
Library23 = sql
Library24 = ss_aesencryption
Library25 = tabstripviewpager
Library26 = touchimageview
Library27 = viewsex
Library28 = webviewxtended
Library29 = xcustomlistview
Library30 = xui
Library31 = xui views

Hi @fredo
We also put some apk on google drive (even yesterday) for some customers and no false negative results.
Most likely it's some libraries.
those, for example, that we often use color red (so that you can already discard them) are:
Library1 = ah_checkinternet
Library2 = ajwebkit
Library3 = aspopupmenu
Library4 = b4xencryption
Library5 = b4xpreferencesdialog
Library6 = bctextengine
Library7 = bctoast
Library8 = byteconverter
Library9 = convertimage
Library10 = core
Library11 = dateutils
Library12 = encryption
Library13 = firebaseanalytics
Library14 = firebasenotifications
Library15 = googleplaybilling
Library16 = ime
Library17 = json
Library18 = network
Library19 = phone
Library20 = randomaccessfile
Library21 = reflection
Library22 = runtimepermissions
Library23 = sql
Library24 = ss_aesencryption
Library25 = tabstripviewpager
Library26 = touchimageview
Library27 = viewsex
Library28 = webviewxtended
Library29 = xcustomlistview
Library30 = xui
Library31 = xui views

Most likely it's some libraries.
Look at this example:


No detect and use this libraries:



Look another example:


and this apk use this libraries:

Thanks @MarcoRome.

That is some valuable information.

This saves a lot of time to narrow down the relevant part.

Here is a short progress report:

• removetest1: ss_aesencryption and encryption removed --> false positive
• removetest2: ah_checkinternet removed --> false positive
• removetest3: ajwebkit removed --> false positive
• removetest4: viewsex removed --> false positive
• removetest5: convertimage removed --> false positive
• removetest6: webviewxtended removed --> false positive
• removetest7: touchimageview removed --> false positive
• removetest8: xcustomlistview removed --> false positive

The "positive false" problem ist continued in a new thread: https://www.b4x.com/android/forum/t...g-googles-false-positive-virus-checks.147537/