Is this a file exfiltration app?

[SomebodyOx]

A bunch of months ago I downloaded an app called File Restore - Photo Recovery from a dev called Sattelite World Maps, from the google play store, no antivirus detected it as wrong but its a weird app that had a lot of ads it was removed from the playstore, here is the virus total report: https://www.virustotal.com/gui/file/c44ca355598afc759b725e06830736f6963da22b31d9773b5c0f5c868de3616a/detection

also uptodown file: https://file-restore-photo-recovery.uptodown.com/android/descargar

waybackmachine page of google playstore page for the app: https://web.archive.org/web/20241224132409/https://play.google.com/store/apps/details?id=com.filerecovery.recovery.recentlydeletedfiles.deletedvideo

while I now know this is a suspicious app, I didnt then and am worried about it maybe having exfiltrated personal files, photos or videos somewhere, I know most of these apps cater towards basic data collection for ads and stuff, but am still worried, it had a lot of downloads (500k+ according to google playstore page) so I dumbly didnt think much of it at the time

[SomebodyOx]

Nothing?

[harlan4096]

Welcome to Kaspersky Community.

 

No av detections at VirusTotal... nor in KOTIP:

 

https://opentip.kaspersky.com/C44CA355598AFC759B725E06830736F6963DA22B31D9773B5C0F5C868DE3616A/results?tab=upload

[SomebodyOx]

I have found the apk file of the actual app, its a different one, its also still in the playstore under a different name: https://play.google.com/store/apps/details?id=com.filerecovery.recovery.recentlydeletedfiles.deletedvideo

 

This is the analysis

 https://hybrid-analysis.com/sample/fc123b7cae56a746ee023d792b3e773766f3f203bd1b4533c69e1dcc21efb3fe/68a039309edd5a36e108328d, according to gemini it seems to be more of an adware focused app, what is your opinion?

Edited 6 hours ago by Berny

[SomebodyOx]

also forgot to add, data usage seemed to be pretty low...it loaded a lot of videos and ads, like a lot of them, only used around 18mb with full permissions before being uninstalled...with basically no data usage in the background, only when the app was opened, but am not a professional

[AlexeyK]

@SomebodyOx Wow, cool, Hybrid-Analysis...

Do you know, what's this? This is official Kaspersky anti-virus installer. Malicious, yep. 😄

[harlan4096]

As @AlexeyKsaid, Your last link about that app analysis, looks like a Kaspersky app installer, about Photo Recovery, that app looks legit ALWAYS if You use the official installer, and not a mod or an app installer downloaded from a suspicious site, and not the official site.

[SomebodyOx]

40 minutes ago, harlan4096 said:

As @AlexeyKsaid, Your last link about that app analysis, looks like a Kaspersky app installer, about Photo Recovery, that app looks legit ALWAYS if You use the official installer, and not a mod or an app installer downloaded from a suspicious site, and not the official site.

Well, as I mentioned it was found through the playstore app, you think based on the hybrid analysis report that its likely a legitimate app intead of a dangerous one? 

Reposting the same link to avoid confusion: https://hybrid-analysis.com/sample/fc123b7cae56a746ee023d792b3e773766f3f203bd1b4533c69e1dcc21efb3fe/68a039309edd5a36e108328d

[harlan4096]

That cloud hybrid analysis tends to be a bit paranoid in general almost with every executable app, You see even legit Kaspersky installer was tagged as malicious, but at VT any of the av products detect malicious activity in that app so far:

 

https://www.virustotal.com/gui/file/10c7a5017572ede5af04bd9aa831b32286697768934bd007c504beb6301e8b55?nocache=1

 

That said, that does not mean it is not malicious, but the Malicious Indicators that hybrid analysis shows for that app are a bit weak to finally or directly flag it as malicious.

[AlexeyK]

22 минуты назад, harlan4096 сказал:

cloud hybrid analysis tends to be a bit paranoid

Of course, it's just an additional tool.) Its verdict shows... nothing.)