HEUR:Trojan.AndroidOS.Boogr.gsh reported in Android bytecode

[jb_wisemo]

⚠ KES 11.5 detects HEUR:Trojan.AndroidOS.Boogr.gsh in the Android bytecode (classes.dex) in an apk we have archived on our file server (so not detected on Android, only by file system scanning on a Windows client endpoint).

🤔 As this is a Heuristic detection, the likelihood of a false alarm is higher, so for now, I have simply tried added the detection to exclusions via the “Active threats” window.  However rescanning the files (using avp.com SCAN) after adding the exclusions keeps redetecting the threat as if it wasn’t excluded.

So the questions are:

1. What is HEUR:Trojan.AndroidOS.Boogr.gsh supposed to detect and is there a way to manully examine file contents to check if it is a false alarm?
2. Why doesn’t adding an exclusion prevent redetecting the same exact threat in the same exact file, and adding the thread back into the “Active threats” window?
3. Why does scanning the directory containing the apk report this threat as being in filename.apk instead of filename.apk/classes.dex ?