VirusTotal flags android-mic_2.1.8_x64-setup.exe as malicious (6 detections)

[Anjaneekumar]

🐞 VirusTotal flags android-mic_2.1.8_x64-setup.exe as malicious (6 detections)

Hi there 👋 — thank you for this amazing project! I noticed some antivirus detections on the latest Windows installer and wanted to report them respectfully in case it helps others assess the file's safety.

---

🧪 VirusTotal Summary

• File name: android-mic_2.1.8_x64-setup.exe
• Scan URL: VirusTotal Link
• Detections: 6 / 72 vendors flagged the file
• Sample detections:
  • Backdoor.Convagent – VBA32
  • Win64.Trojan.Agent.C6QPJK – GData
  • Win32.Outbreak – Ikarus
  • Others reported as grayware or suspicious confidence-based flags

Most major engines (Microsoft, Bitdefender, Kaspersky) marked it as clean — this may be a false positive, but I wanted to confirm with you.

---

🧩 File Metadata

Field	Value
SHA-256	ff12e9b2fc33f2af598add59405fe83e7696284da64013ddf99f701a6d88d419
MD5	4a0d6e2c5c57f4c1ceeec852cc315398
File Size	8.26 MB
Build Time	2023-07-02 02:09:43 UTC
File Type	Win32 EXE (Nullsoft Installer)
Digital Signature	❌ Not signed

---

🧠 Behavior Analysis (Yomi, CAPE, etc.)

• Detected anti-analysis activity (detect-debug-environment, checks-user-input)
• Drops multiple .dll files (UserInfo.dll, nsis_tauri_utils.dll) to %TEMP% folder — common in NSIS but may raise AV heuristics
• Creates registry entries under HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AndroidMic
• DNS lookups to Microsoft/Office domains (e.g., mira-tmc.tm-4.office.com) — likely system background activity
• Flags associated with MITRE ATT&CK techniques for Execution, Defense Evasion, Persistence and Credential Access (though may be broad categorization)

---

🌐 Relations Summary

Contacted Domains

Domain	Detections	Notes
mira-tmc.tm-4.office.com	0/94	Microsoft Teams
svc.ha-teams.office.com	0/94	Microsoft
www.microsoft.com	0/94	Standard telemetry

Bundled/Dropped Files

File	Type	Detections
android-mic.exe	Main binary	2/72
uninstall.exe	Uninstaller	4/72
nsis_tauri_utils.dll	NSIS plugin	2/72
UserInfo.dll, StartMenu.dll	Installer UI	1–2/72

---

🙏 Request for Clarification

Would it be possible to:

1. Confirm whether these detections are false positives?
2. Provide a signed version of the installer (if feasible)?
3. Offer SHA256 hashes alongside future releases to aid verification?

Thanks again for your great work — this tool has so much potential, and I'd love to help others trust it even more. Let me know if I can contribute further!

See attached image for reference.

[Anjaneekumar]

False positives happen—just sharing this to help others make informed calls 🙌

[teamclouday]

Related #72

Hey thanks for submitting the report! To answer your questions:

Confirm whether these detections are false positives?

It's hard to understand what these detections actually imply. It would help a lot if there's a way to know which part of the code caused these detections. My guess for the DNS lookup one is that the program is using the lookup to get the machine IP address, which is then used for the TCP socket server.

Provide a signed version of the installer (if feasible)?

This is a good point. In my experience the lack of signing has been causing issues on windows and macos. However I'm not experienced in creating a signed build. You are welcome to contribute on this!

Offer SHA256 hashes alongside future releases to aid verification?

So these builds are created by github actions. And recently they made an update to include the SHA256 hash alongside the files. I think the latest release includes it. Can you confirm if it appears on your side?

[wiiznokes]

Hi, as a contributor of this project, i can tell you there is no virus in the code. I know that this flag can be considered as a threat by windows defender. Maybe there could have a backdoor in a dependency, but i doubt that.
I think these are all false positive. Signing the app could probably mitigate that (windows force open source developer to pay for signing key, instead of providing actual good security features like sandboxing).
Having reproducible build could help someone to audit the code if he want to imo