Over the last several days, some serious accusations have been leveled against a custom ROM named Triplekoo, which is made by @TripleU . He stands accused of using his religion to distribute malware to his unsuspecting religious compatriots. Due to the seriousness of these allegations, I decided that an in-depth investigation was appropriate.
I decided to ignore for the moment the pornography and antisemitic comments posted by the accusers, and reached out to them the privately.
(By the way, when I confronted them about their inappropriate language, they denied posting this:
It got much much worse than this. This is the only screenshot I can post.)
After repeatedly pressing them for more information about their GBoard permissions comment, they identified the android.permission.DOWNLOAD_WITHOUT_NOTIFICATION permission as one they thought was problematic. So naturally I checked the permissions requested by GBoard from Google Play and found DOWNLOAD_WITHOUT_NOTIFICATION. You can try this at home: adb shell pm dump com.google.android.inputmethod.latin | grep permission. When confronted with this evidence, they backed down on their claim that GBoard permissions were messed with.
Now for their comments on the 9/10 scores on triage. Triage is a malware detection website that does static and behavior analysis on samples that users submit. For example, here is a screenshot of Triage’s evaluation of an apk included in the Triplekoo ROM:
Looks pretty scary doesn’t it? 10 out of 10 that it is malicious? Well, not so fast there. Let’s scroll down from the headline and see the details of the malicious behavior.
(Side note: All sample submissions on Triage are public. You can search the MD5 hash to find every time a particular file has been uploaded. The only time the hebdate apk was analyzed does not exactly match the screenshot our very angry friends have provided. You can check this out by searching Triage for b7d061776dbd86cfe04ef453e21bd513. It does make one wonder about the integrity of the accusatory screenshots.)
Anyway, back to the show. Let’s look in detail at the behavior Triage thinks is suspect. Here is a screenshot of all the behavior:
Lets start with DEFENSE_EVASION behavior. What triggered that was HebDate checking if the device is rooted. Now, IDK if anyone around here is familiar with Android apps in general, but many apps check for root and refuse to work if the device is rooted. There is nothing unusual at all for an app to check for root. It is a meaningless indicator unless paired with ACTUAL EVIDENCE OF REAL MALICIOUS BEHAVIOR
Next lets look at the Loads dropped Dex/Jar. This supposedly malicious behavior consists of loading the Google Maps Sdk, and the apps own internal code. Normal stuff.
On the queries a list of installed applications, it appears to be looking up its own information from the Android package manager, which triggers this false alert. Also normal Android stuff.
The Queries information about running processes on the device is also a false alert. Many Android apps query information about their own processes.
On the Reads the content of the calendar entry data., well, HebDate is a calendar app. Of course it is reading calendar entry data.
All the other listed behaviors are standard across pretty much every Android app. My banking app does them, the Uber app does them, every app does them. They mean nothing.
All this is to say that is that Triage is a powerful tool that requires careful understanding of the results. You can’t just quote the number at the top. I uploaded the WhatsApp Business app, and it got a 10/10.
After a careful review, there is no evidence of malware. We call on the haters to stop hating and to take down their defamatory statements on their website. You can into this thinking you were about to expose some ignorant, evil Jews, and as a result walked into a trap of your own making. At this point, the only people you are hurting are yourselves, so I recommend, for your own good, that you stop doing so.