What's going on here?

If anyone more technical than I am can explain what exactly is happening here, that would be great.

I was downloading some music from an Android device (running GrapheneOS) and copied it over to my computer (Linux). From my computer, I uploaded it to VirusTotal, and I got this result:

It seems like I copied the file over to my computer before it was finished downloading, hence the fact that it says that the file size is zero bytes. However, I’m confused by the name of the .zip file in that screenshot, because the original file was [Song Title].m4a.

Given that there is a community score, my guess is that someone else uploaded a file that matched the hash of the one I did.

What exactly is going on, and are there any privacy/security implications here?

Since no one has weighed in yet, here is my guess:

Often times when a download is in progress, it will create an empty file for the downloaded file, and then make a temporary, hidden file that actually stores the downloaded stream. When the download stream is done, the temporary, hidden file is moved to the empty downloaded file to complete the download.

If your download was ungracefully terminated for whatever reason, or if you tried to copy the file before it was actually done downloading, then this would explain why your file is 0B. You copied the initial empty file before the download finished.

The reason there’s a community score is because it’s 0B, so it is literally empty. It would match the hash of any other uploaded 0B empty file. And since a 0B file has nothing, it also has no malware :). And given the userbase of VirusTotal, I’m sure that somebody else uploaded a 0B file at some point in the past.

The reason your filename in VirusTotal is android-cts-7.1_r6-linux_x86-arm.zip is because that must be the name of the file in the VirusTotal DB that matched your 0B checksum. Since all 0B files are identical (by definition), this is simply the filename of the first 0B file uploaded to VirusTotal. Typically, it’s safe to assume two files with identical checksums have the same filename, since they’re the same file (barring intentional collision attacks). The 0B file is the trivial case, so they could really show you any name and it wouldn’t matter. It’s an empty file.

5 Likes