This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Low reputation app warning - unknown app (file name is string of numbers)

Can you help me understand a security message from my the Sophos antivirus app on my Android phone (Samsung S5)? It's a notification about a low reputation app, but the name of the app is just a string of numbers. Does anyone know what this is? Is it malware of some kind?

The file name: 1549406981572

The file path:

/storage/emulated/0/Android/data/com.android.vending/files/dna_data

The notification included a list the following security considerations for the app:

- built for outdated Android versions

- contains executables

- unusual building tool

- read phone number

- little readable text

- not from a trusted app store

- read storage

- write storage

I told the Sophos app to delete it, so hopefully my phone is safe now. But I'd still like to know what it was, and how to prevent getting it in the future. Also, is there anything else I should do besides deleting it? Is my phone data or other apps compromised in any way from this incident?



This thread was automatically locked due to age.
  • Hi  

    This article will explain how app reputation works: https://community.sophos.com/kb/en-us/120915. Also, at this point of time, I cannot confirm where exactly those APKs are coming from and hence try formatting the device (after backing up important data) and see if you still face this issue.

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Yashraj,

    Thanks for sharing the article. Though it doesn't answer my question about whether the Sophos app could have deleted the file without me knowing?

    When I back up my phone files, is there risk that I could unintentionally backup something malicious at the same time?

  • I recently received a warning from the IT services department at the Technical University of Munich that there was unusual traffic coming from my Meizu M3 note to other computers in the university.  Another potentially infected computer appeared to be our mass spec machine which runs windows 10 without a password, and shares the same LAN as my android phone.  

    After installing sophos I observed the same strangely named app

    Android\data\com.android.vending\files\dna_data\20190528202509

    For anyone interested this is the file -> mega.nz/

    It is about 15 mb and appears to be a zipped archive of zipped archives containing lots of binaries.

    I delete the file but today the IT services observed unusual traffic from my phone and blocked my MAC address.  I also noticed that two similar but different numbered files in at the same path.

    Perhaps this is weirdly numbered app thing is totally innocent, but there's definitely something dodgy going on with my phone.  It would be great if a security expert could have a look into this.

     

    Regards,

    Patrick

  • I have had a Low Reputation App warning three times this week for same file path but file name 1568408715343. It appears on a scan then is removed from scan. It won't let me delete. Is this an issue over which I should have concern?

  • The com.android.vendor folder contains the data stored by the Google Play Store app. It's okay to delete these files. You can do it from Settings > Apps > Google Play Store. Then click on Storage. Then clear data. It will show a warning message. Just click to confirm deletion. You should notice that the com.android.vendor folder has been completely removed from your device.

    This could possibly be a false-positive that Sophos is detecting.

    Anyway, I hope this information helps someone!

  • By chance are you using samsung with the home screen layout customizations found in things like good lock and/or home up?

    I had similar problems myself and while doing a deep clean I found similar named photos which were screenshots of my home screen which I know the app home up uses to re-establish your home screen on a. I'm wondering if the app might produce an executable that is actually used to re-establish your home screen.

    If that's the case we would be able to inform sophos and have this white listed in some manner