Low reputation app warning - unknown app (file name is string of numbers)

Can you help me understand a security message from my the Sophos antivirus app on my Android phone (Samsung S5)? It's a notification about a low reputation app, but the name of the app is just a string of numbers. Does anyone know what this is? Is it malware of some kind?

The file name: 1549406981572

The file path:

/storage/emulated/0/Android/data/com.android.vending/files/dna_data

The notification included a list the following security considerations for the app:

- built for outdated Android versions

- contains executables

- unusual building tool

- read phone number

- little readable text

- not from a trusted app store

- read storage

- write storage

I told the Sophos app to delete it, so hopefully my phone is safe now. But I'd still like to know what it was, and how to prevent getting it in the future. Also, is there anything else I should do besides deleting it? Is my phone data or other apps compromised in any way from this incident?

  • Hi  

    That looks like a dodgy application. Run a full scan from the Sophos application and you should be good to go. I don't think anything was compromised as the app was deleted and not run. 

    Yashraj Singha

    Community Team Lead, Support & Services| Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

     

  • Thanks Yashraj!

    How can I be sure the app wasn't run? Would I have had to open it myself?

    Also, would the scan have caught it in real-time? How would an app like this have got on my phone without me knowing?

  • Hi  

    I believe this was a ".apk" file which was detected. So you/some program will need to run it to infect the device. This app was flagged as a low reputation application and app reputation is a part of Sophos Mobile Security's Live Protection feature which means it was detected in real time. The path of the app suggests that this was placed in the external SD card so there could be many ways how it was placed in that location. Did anything show up in a full scan?

    Yashraj Singha

    Community Team Lead, Support & Services| Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

     

  • Thanks Yashraj!

    I checked the file path on my phone, and it seems to be located in my internal storage, not the external SD card (the path folders are still there, but the actual file isn't). Does that change anything in your assessment of how it might have got on my phone? (I wasn't even using my phone at the time.)

    The detection showed up in a regular full scan, so that's why I wasn't sure if it was detected in real time...

    I've done several full scans since then, and nothing else has shown up.

    However, according to my logs, some of my scans show a varying number of "objects scanned" (ranging from 0 to 8000+ objects scanned for each scan), so I'm wondering if some scans missed some files?

  • P.S. I got another warning about the low rep app again!! Sightly different file name, but same file path. I deleted it again, but I'm wondering what is going on here? How do I keep getting these mysterious files?

    The new file name: 1549681408582

    The old file name: 1549406981572

    The file path (same for both files): /storage/emulated/0/Android/data/com.android.vending/files/dna_data

    What is "com.android.vending"? I was looking at other similar app folders on my phone, and I noticed that at least one of them (com.android.providers.media) contains a similarly named file (different numbers). Is it common for apps to be named with a string of numbers? If so, is it possibly these types of files aren't actually malicious, and I've received a false positive? Or should I be concerned about all files named like this?

  • Hi Yashraj, I'm following up to see if you received my last 2 messages? Sorry if I asked too many questions, and thanks for all your advice!

  • Hi  

    Apologies for the delays in getting back to you. There are a lot of factors to look in to here. First of all, is there any 3rd party app you have installed on your phone apart from Google's playstore? Can you get the details on "dna_data" folder(Properties/info option may give you more info)? The same details can be gathered on the application. Submit the application to Sophos for analysis. I am not a 100% sure, but com.android.vending is a process for Google playstore. 

    Yashraj Singha

    Community Team Lead, Support & Services| Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

     

  • Thanks Yashraj!

    I've been doing some investigating into the apps on my phone. All of them are from the Google Play store, though I did notice that 2 of them contain adverts (and someone told me that sometimes in-app ads can take advantage of phone vulnerabilities). So I deleted those two apps, and am monitoring the phone now.

    I haven't had this type of incident again, but a weird thing I noticed happened with the Sophos scanner a couple days ago. It showed a notification of two apps it scanned, for no apparent reason. I usually only get those notifications after an app updated, but this time I didn't knowingly have any app updates at that time (according to Google Play Store). In the 'permission change history' section of the Sophos app, it does say those 2 apps were updated on that day. So is it possible for apps to update themselves without this displaying in the Google Play Store?

    If not, I'm wondering why there would have been a scan without updates, and if it's possible something was downloaded onto my phone without me knowing, and if it could be related to what's been going on with my phone? Though this time round the scans didn't show anything, so maybe it's unrelated and a fluke? I also did a full scan afterwards, which came back clean.

    In answer to your question, I couldn't get the details on the "dna_data" folder because it has disappeared from my phone. It must have been deleted the last time the Sophos app deleted the suspicious file (the folder was still there after the first incident, but it isn't after the second incident). Is there any other way to get details on the file or folder after they were deleted?

  • Hi  

    Those might be scanned as Sophos AV engine might have got new definitions and that might have resulted in getting these 2 apps scanned. (Those definitions might be specific for these 2 apps.) I don't think we can get any information on files/folders once they are deleted. 

    Yashraj Singha

    Community Team Lead, Support & Services| Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

     

  • Hi Yashraj,

    Thanks for your previous help! I'm following up because the issue happened again! The Sophos app detected a similar low rep app (the file has same file path, but a different file name - still a string of numbers).

    The new file name: 1551816907224

    The previous file names:

    - 1549406981572

    - 1549681408582

    The file path (same for all files): /storage/emulated/0/Android/data/com.android.vending/files/dna_data

    However this time I didn't become aware of it right away, because according to the Sophos app log, the file was removed from the security assessment 2 minutes after it was detected. So I didn't see any notification on my phone, and the only reason I know now is because I checked the logs after I saw that the Sophos app stats section says "1 detection" for this week. The logs say the detection happened yesterday (Mar 5) at 3:15 pm EST, and I didn't notice the logs until today (Mar 6) around 11 am EST.

    I checked the file path, and the file is no longer there, so I guess that's why it was removed from the security assessment.

    And full scans since then have come out clean. Though according to the logs, there wasn't a full scan until 4+ hours after the detection. It looks like there was an attempted scan earlier, but the logs say "0 objects scanned". (I'm still having some issues with the scans having a varying number of objects scanned.)

    But my question for you: how did that app file get removed without me doing anything? Did the Sophos app remove it? It was flagged as a low reputation app, so should it have asked me first before removing it?

    Or is it somehow possible something malicious had access to my phone to manipulate what happened to the file, in order to trick the Sophos app into thinking the file was gone?

    I'd appreciate your help in understanding how the Sophos app acts in a situation like this.

    Thanks,

    Julie