How to Handle VirusTotal False Positives for Your APK

You uploaded your APK to VirusTotal and one or two engines flagged it. Before you panic and start rebuilding your app from scratch — this is extremely common for legitimate Android applications. Here is how to understand what happened and what to do about it.

What VirusTotal Actually Tells You

VirusTotal scans your file against 70+ independent antivirus engines simultaneously. Each engine uses different detection methods, signature databases, and heuristic algorithms. A detection from one engine does not mean your file is malware — it means one engine's algorithm triggered on some characteristic of your file.

Common Causes of False Positives in APKs

1. Code Obfuscation / ProGuard

ProGuard and R8 obfuscate your code to reduce APK size and protect intellectual property. The same obfuscation techniques are used in malware — so heuristic engines sometimes flag the pattern rather than the actual code.

# ProGuard config that reduces false positives
-dontobfuscate          # disable if false positives persist
-optimizationpasses 1   # reduce optimization aggressiveness

2. Third-Party SDKs

Analytics SDKs, advertising networks, and crash reporting libraries sometimes contain code patterns that trigger antivirus heuristics. The SDK itself may be clean but its techniques — remote code loading, reflection, dynamic class loading — match malware signatures.

Common SDK culprits:

• Aggressive ad SDKs with auto-download features
• Analytics SDKs that use reflection
• Update libraries that download and execute code
• Old versions of Firebase or Google Play Services libraries

3. New or Unknown Signing Certificate

Antivirus engines maintain reputation databases for signing certificates. A brand new certificate with no history triggers heuristic alerts — not because the certificate is invalid, but because it has no established reputation. This resolves naturally as you distribute more releases over time.

4. Sensitive Permission Combinations

Certain permission combinations trigger automatic flags regardless of your actual intent:

• SMS + network access + contacts
• Accessibility service + network access
• Device administrator + network access
• Overlay permission + accessibility + input

How to Investigate a False Positive

Step 1: Identify Which Engine Flagged You

On VirusTotal results, note the specific engine name and the detection label it used. A detection labeled Android.Suspicious.001 from an obscure engine is very different from Android.Banker.Trojan from Kaspersky.

Step 2: Check the Detection Label

• Suspicious, Generic, Heuristic → almost certainly false positive
• PUP (Potentially Unwanted Program) → check your ad SDKs
• Trojan, Banker, Spyware → investigate thoroughly

Step 3: Run Secondary Scans

• NViso APKScan — behavioral analysis, shows what your APK actually does at runtime
• MobSF — run locally via Docker for full static and dynamic analysis
• Hybrid Analysis — sandbox execution to observe runtime behavior

How to Submit False Positive Reports

Most major antivirus vendors have formal false positive submission processes. Once submitted, corrections typically appear in their databases within 3–7 days and then propagate to VirusTotal.

Preventing False Positives in Future Releases

• Use the same signing keystore for every release — certificate reputation builds over time
• Audit third-party SDKs before including them — check each on VirusTotal independently
• Avoid dynamic code loading unless absolutely necessary
• Request only permissions your app genuinely needs
• Register as a verified developer via Android Developer Console — certificate linked to verified identity gets higher trust
• Scan every release build before distribution — catch issues before users see them