Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trojan Crypt in Spytify? #278

Closed
kylemcshea opened this issue Dec 17, 2020 · 2 comments
Closed

Trojan Crypt in Spytify? #278

kylemcshea opened this issue Dec 17, 2020 · 2 comments
Labels
discussion 💬 Will be converted to a Github Discussion thread

Comments

@kylemcshea
Copy link

Hi all, I was just given a notification of a trojan crypt hidden in spytify. I am no computer expert, just wanted to make sure spytify didn't make an accidental pull request that should have not happened.
@kylemcshea kylemcshea added the discussion 💬 Will be converted to a Github Discussion thread label Dec 17, 2020
@jwallet
Copy link
Owner

jwallet commented Dec 19, 2020
edited

I went and read about this kind of alert:https://www.spywareremove.com/removetrojancrypt.html

I can confirm this is a false positive Spytify does not do that. The only web browser page it opens is when you are using spotify api, we ask you to log in into your account to authorize spytify api to use your account to search for metadata of the current song that is being played, since spotify api is private and the app does not come with it's own client id for spotify.

there are also buttons on the UI that links to the project website.

@jwallet jwallet self-assigned this Dec 25, 2020
@jwallet jwallet closed this as completed Dec 26, 2020
@jwallet jwallet removed their assignment Jan 13, 2021
@jwallet
Copy link
Owner

jwallet commented Jan 14, 2021
edited

so I found out a bit more information, I found out that using prevent to sleep is seen has a trojan, spytify tells the system to not go to sleep until the recording session is done, and it does not like that.

see with powershell as admin, that spytify gets attached to events: powercfg /requests

after adding some more code to spytify recently, I added what microsoft recommanded for media recorders and use ES_AWAYMODE_REQUIRED

Away mode should be used only by media-recording and media-distribution applications that must perform critical background processing on desktop computers while the computer appears to be sleeping.

#336

After adding this mode, I now see on my tests machines that the app is now completly deleted on execution and it's falsy flagged as a trojan:Win32/Wacatac.G!ml which is a virus that :

will drop several malicious files on the computer, especially on system folders. The threat will then add a registry entry to run the malicious code on each Windows start-up. It is also able to conceal itself by loading the code as Critical Windows process. This technique is also one way to make it invisible from virus and malware scanners.

https://malwarefixes.com/threats/trojanwin32-wacatac-dml/

what I did is that I removed that commit, so the recorder becomes less effective when away from keyboard, but I cannot removed PreventToSleep completely otherwise it compromises the recorder, as soon as the computer comes back from sleep the recorder will resume and add all the wave buffer (spotify continued to play) into one file

jwallet added a commit that referenced this issue Jan 14, 2021
@jwallet
Reverted used of prevent sleep mode with AWAYMODE_REQUIRED since it t…
aa7700e 
…riggers anti virus

windows defender falsy detects the app as a Win32/Wacatac.G!ml 
https://malwarefixes.com/threats/trojanwin32-wacatac-dml/

related to #278
@jwallet jwallet mentioned this issue Jan 14, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion 💬 Will be converted to a Github Discussion thread
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jwallet @kylemcshea