Kaspersky Premium (Android) RiskTool.AndroidOS.SpyLoan Alert

[always_working]

Hello,

Received this alert when running a scan on my phone - please see the attached screenshot.

I read the article at https://www.bleepingcomputer.com/news/security/mobile-trojan-detections-rise-as-malware-distribution-level-declines/ and my initial reaction is that this app has been noted as one that needs permissions often associated with malicious apps.

I can say that this alert only appeared after updating the app to the most recent version.

Am I correct in my assumption or is it possible that the app has been compromised?

Any help is appreciated as this is concerning to me and potentially time-sensitive.  It's actually the first such alert I've received using the app on Android.

[Flood and Flood's wife]

4 hours ago, always_working said:

I can say that this alert only appeared after updating the app to the most recent version.

Any help is appreciated as this is concerning to me and potentially time-sensitive.

Hello @always_working, 

Welcome back!

?Read before you create a new topic! - & post the required information - we should not have to guess OR waste time figuring out basic information you should be providing?

⚠️When issues are *concerning & potentially time-sensitive* - contact Kaspersky Customer Service - they will give you an almost immediate response & are paid to do so⚠️

1. *Which* app was updated to the most recent version - Kaspersky OR YouMail? 
2. The alert / Kaspersky - is telling (you) the app has *potential* to do harm - Kaspersky is trying to protect (you). 
3. Is YouMail the mail app you use all the time? 
4. Re-install YouMail? 
5. Run a Full scan. 
6.  Log a request with Kaspersky Customer Service. On the support page: https://support.kaspersky.com/b2c#contacts, select either Chat or Email, then fill in Malware, I suspect my device is infected template; please include any screen images of the error & a detailed history. Support may request logs, traces & other data; they will guide you. 

• Please share the outcome with the Community, when it's available? 
• Read: Riskware (not-a-virus).
• Read: IT threat evolution in Q2 2022. Mobile statistics:  "On the contrary, the number of attacks by the RiskTool.AndroidOS.SpyLoan riskware family (loan apps that request access to users’ text messages, contact list and photos) more than quadrupled from the first quarter."

Thank you?
Flood?+?

Edited October 21, 2023 by Flood and Flood's wife
pn

[always_working]

17 hours ago, Flood and Flood's wife said:

Hello @always_working, 

Welcome back!

?Read before you create a new topic! - & post the required information - we should not have to guess OR waste time figuring out basic information you should be providing?

⚠️When issues are *concerning & potentially time-sensitive* - contact Kaspersky Customer Service - they will give you an almost immediate response & are paid to do so⚠️

My apologies for not providing the basic information initially which I will ensure I do moving forward.

Android One UI 5.1 (Android 13-based)

Youmail version 5.5.0

Kaspersky Premium (Android) version 11.105.4.10750

With respect to Kaspersky (I love their products), I have had much better experiences and more success posting here.

Youmail is the app in question that was just updated to the most recent version.  Youmail's not a mail app - it's a call screener to stop robocalls that I use consistently.  Seeing this detection on two different phones and reinstalling Youmail doesn't stop it.  Running an older version of the same app on a different phone with no such detection.

I don't think the app is malicious but I've also reached out to that company directly and will follow up.  I know it's preferable to know that to suppose, but I do think it's being identified as riskware solely due to the permissions it needs and not because it's malicious.

A full scan shows the same detection but nothing else.

Your reply would be appreciated.

 

 

[Flood and Flood's wife]

10 hours ago, always_working said:

Your reply would be appreciated.

Hello @always_working, 

Thank you for posting back & the information! Danila T. wrote the guidelines for a reason - it would be gold if *all* Community members used them - *all* the time!

We understand (your) reluctance to contact Kaspersky & the logic behind it *however* in this specific case - Kaspersky's VIRUS LAB & their experts are the team that needs to be engaged - the VL experts are the only ones who can give advice on the alert. 

Even if one of the Kaspersky team (geniuses) who sometimes give advice in the Community were to participate in this topic - they would advise you to follow step 6. in our first reply.

Please do so & please share the outcome with the Community? 

Thank you?
Flood?+?

Edited October 22, 2023 by Flood and Flood's wife
grammar?

[always_working]

As an update, I reached out to Youmail who communicated with Kaspersky, and asked them to stop identifying their app as a possible exploit.

The alert stopped appearing a day or so after.

Thanks again for your assistance!

 

Edited December 3, 2023 by always_working

[Flood and Flood's wife]

11 hours ago, always_working said:

As an update, (1) I reached out to Youmail who communicated with Kaspersky, and asked them to stop identifying their app as a possible exploit.

?The alert stopped appearing a day or so after.

Thanks again for your assistance!

Hello @always_working, 

You're most welcome!

Well done & congratulations & may we again state - ?that outcome? would not have happened - without you or your third party - contacting Kaspersky Virus Lab experts. 

Thank you?
Flood?+?

[yc007]

My application has been detected as a RiskTool The AndroidOS. SpyLoan Trojan has removed unnecessary permissions, removed the ability to read call records, SMS, contacts, and upload image resources; Upload to https://www.virustotal.com After the website was launched, it was still detected as PUP/Android SpyLoan and Not-a-virus: HEUR:RiskTool.AndroidOS！Our application is a normal lending company, how can we identify this risk?

[Flood and Flood's wife]

3 hours ago, yc007 said:

My application has been detected as a RiskTool The AndroidOS. SpyLoan Trojan has removed unnecessary permissions, removed the ability to read call records, SMS, contacts, and upload image resources; Upload to https://www.virustotal.com

After the website was launched, it was still detected as PUP/Android SpyLoan and Not-a-virus: HEUR:RiskTool.AndroidOS！

1. Our application is a normal lending company, how can we identify this risk?

Hello @yc007, 

Welcome!

• (you) can check the application or website using Kaspersky's Threat Intelligence Portal. 
• IF there's an application with an exe or an apk -> *zip* the files that are being blocked by Kaspersky - protect the zip with a password, either *MALICIOUS* or *INFECTED*; add zip archive to the problem when you submit it & *include the zip password* 

1. IF (you) have a *paid* Kaspersky subscription, not Free, log a case with Kaspersky Customer Service, https://support.kaspersky.com/b2c#contacts  - on the support page, select either Chat or Email, then fill in the template as shown; please include a *detailed history*. Support may request logs, traces & other data, they will guide you. *Ask the Kaspersky Virus Lab experts to analyse the problem*
2. *Also* -> IF using Chat - ask the operator to email (you) a copy of the chat transcript *before* ending the chat - otherwise (you'll) have no record of the chat* 

Please share the outcome, with the Community, when it's available?

Thank you?
Flood?+?

Edited December 15, 2024 by Flood and Flood's wife
removed whitespace

[Rupa]

Our  Application  has also been detected as  not-a-virus:HEUR:RiskTool.AndroidOS.SpyLoan.qk.  Our app doesn't have any  function of adware and ads.  Also, we have removed unnecessary permissions. But it still was detected and flagged  with same o fnot-a-virus:HEUR:RiskTool.AndroidOS.SpyLoan.qk.

 

Our  App is a normal lending app. how can we identify this risk and remove it ?

[Flood and Flood's wife]

1 hour ago, Rupa said:

Our  Application  has also been detected as  not-a-virus:HEUR:RiskTool.AndroidOS.SpyLoan.qk.  Our app doesn't have any  function of adware and ads.  Also, we have removed unnecessary permissions. But it still was detected and flagged  with same o fnot-a-virus:HEUR:RiskTool.AndroidOS.SpyLoan.qk.

• Our  App is a normal lending app. how can we identify this risk and remove it ?

Hello @Rupa, 

Welcome!

For Kaspersky a *RiskTool* classification simply lets Kaspersky subscribers know there may be some risk associated with the software -> in case those subscribers do not know the software is installed on their Android & OR those subscribers do not know the manner in which (your) application works. Read: RiskTool

IF (you'd) like Kaspersky's Virus experts to re-evaluate the software & IF (you) have a *paid* Kaspersky subscription, not Free:

1. Read: False detections by Kaspersky applications. What to do? & What to do if a Kaspersky application blocks my website or application.
2. **Zip the application files**, **add a password  to the zip file - either MALWARE or INFECTED & tell support the password** 
3.  Log a request with Kaspersky Customer Service, https://support.kaspersky.com/us/b2c/us#contacts  - select either Email or Chat, then fill in the template as shown; include a *detailed history*, request the case get sent to the Kaspersky Virus Lab for their expert analysis. 

• *Also* -> IF using Chat - *before* ending the chat -> ask the operator to email (you) a copy of the chat transcript - otherwise (you'll) have no record of the chat*    

Please share the outcome with the Community, when it's available? 

Thank you?
Flood?+?

Edited January 15 by Flood and Flood's wife
removed white space

[Rupa]

2 hours ago, Flood and Flood's wife said:

Hello @Rupa, 

Welcome!

For Kaspersky a *RiskTool* classification simply lets Kaspersky subscribers know there may be some risk associated with the software -> in case those subscribers do not know the software is installed on their Android & OR those subscribers do not know the manner in which (your) application works. Read: RiskTool

IF (you'd) like Kaspersky's Virus experts to re-evaluate the software & IF (you) have a *paid* Kaspersky subscription, not Free:

1. Read: False detections by Kaspersky applications. What to do? & What to do if a Kaspersky application blocks my website or application.
2. **Zip the application files**, **add a password  to the zip file - either MALWARE or INFECTED & tell support the password** 
3.  Log a request with Kaspersky Customer Service, https://support.kaspersky.com/us/b2c/us#contacts  - select either Email or Chat, then fill in the template as shown; include a *detailed history*, request the case get sent to the Kaspersky Virus Lab for their expert analysis. 

• *Also* -> IF using Chat - *before* ending the chat -> ask the operator to email (you) a copy of the chat transcript - otherwise (you'll) have no record of the chat*    

Please share the outcome with the Community, when it's available? 

Thank you?
Flood?+?

Hi, Thanks for your answer. We have submitted a  reanalyze in the https://opentip.kaspersky.com/ also adding our contact email. When can we get the response from the team?

[Flood and Flood's wife]

17 minutes ago, Rupa said:

1. We have submitted a  reanalyze in the https://opentip.kaspersky.com/ also adding our contact email.
2. When can we get the response from the team?

Hello @Rupa, 

You're most welcome!

1. In our opinion & experience it would be more effective to submit using the method we outlined beginning at dot point 2. in our previous reply; the reason being, this method creates a incident reference number & can be tracked by you; Kaspersky's Threat Intelligence Portal has no way for users to track their submissions. 
2. When the Virus Lab have done their work; please patiently wait; if (you) don't have a response within fourteen days, use the method we outlined beginning at dot point 2. in our previous reply. 

Thank you?
Flood?+?

Edited January 15 by Flood and Flood's wife
 Kaspersky's Threat Intelligence Portal​​​​​​​ has no way for users to track their submissions.