Last week our webphone software have been marked as malicious by google and the Chrome browser blocks its download. Since our webphone is mostly HTML/CSS/JS files which can't cause any harm, the only possible suspect is the WebPhoneService_Install.exe file which can be found in the webphone.zip under the "native" subfolder.
Here we declare that the webphone and its WebPhoneService component have been created by us, it works as specified by its software documentation and it doesn't contain any malicious code nor it leaks any private data.
The webphone is a VoIP (SIP) client software sold to developers. It is a commercial solution (our best-sold software since years) and only a demo is available for free download (with some demo restrictions so users can try it before to purchase). A detailed description about the webphone can be found here: https://www.mizu-voip.com/Software/WebPhone.aspx
What is the WebPhoneService engine and what it does more exactly: The WebPhoneService is an optional component for the webphone, often referred as the "NS engine", that might be used in some circumstances if the users don't have or don't wish to use WebRTC. It has a single file installer (WebPhoneService_Install.exe) and it runs as a windows NT service by listening on a secure localhost websocket port (WSS) providing VoIP capabilities for our webphone, communicating with the requested SIP server using the standard SIP and RTP protocols to make and receive VoIP calls as configured by the webphone users. The installer can be found in the native subfolder if you unpack the webphone.zip.
Here is the download link to our webphone (the whole package, containing also the "suspicious" WebPhoneService_Install.exe): https://www.mizu-voip.com/Portals/0/Files/webphone.zip
Here is the direct download link for the WebPhoneService_Install.exe (extracted from the webphone package): https://www.mizu-voip.com/Portals/0/Files/WebPhoneService_Install.exe
There is no any malicious bits in our software, we don't collect any user data and the software works as expected after its specification. All our software is signed with a certificate named "WebVoIPPhone".
Trying to guess what is triggering the false alert: The software does a lot of things and we suspect that one of the followings are wrongly detected as "suspicious activity": • It tries to download and deploy a JVM (java virtual machine) if a JVM is not already installed on the PC (this is required because internally the NS engine uses our Java based JVoIP software as the SIP stack) • Execures taskkill.exe (this is used to kill the service own processes to make sure that all resources are released before (re)install) • Modify registry settings (for example to register itself as a SIP URI handler) • Uses the audio devices (apparently, this is a must for VoIP calls) • Might auto download a TLS certificate maintained by Let's Encrypted to be used for WSS (secure websocket)
We also provide customized/branded builds for our customers. This is exactly like the original, with the following changes: • The software file name is renamed after our client brand or company name • All references to us (Mizutech SRL and WebVoIPPhone SRL) or our websites (www.mizu-voip.com and www.webvoipphone.com) are removed or replaced with the client company name and website address • Restricts the usage only with the customer SIP servers (we ask the address of the SIP servers from our customers and "hardcode" these addresses into our software to disallow the usage with other servers)
We already asked a review from Google to white-list our software, but the request was automatically rejected, apparently by an automated process.
Today we made further changhes and resubmitted to googl to revirew. More exactly we performed the following changes:
Hopefully the problem will be resolved within a few days. Thank you for your understand and your continued support.