It takes some time for device manufacturers to update built-in Anti-Virus, which is obviously not ideal but it is what it is. If you have installed Avast yourself, that might be an issue in itself, though you should be able to update it more quickly:
Unfortunately Avast has a reputation for false positives on Android and MS Windows;
Android devices usually have Anti-Virus built-in. If you add another Anti-Virus App, it may well trigger the built-in one to report a Trojan or vice-versa, since Anti-Virus Apps do behave like Trojans themselves, using brute force methods to scan.
If you upload your APK to Virus Total, it will run your App through a number of Anti-Virus programs. That will give a better indication as to whether there is a genuine issue but note that some Anti-Virus programs do not use their own Engine/Database, they instead pay royalties to a central lab - consequence of which is that all the programs based on the same Engine will likely give the same result.........
Thanks for that investigation. I'm not sure that some of these permissions are actively needed in most apps other than the App Inventor companion app. I've submitted a potential patch for review that will address this, but we will need to have some internal discussion and testing to determine whether it will have any adverse effects.
Only strange is that this permission was also used when AppInventor was targeting API Level 29. But Avast does not report a virus in these apps. Maybe the combination with something else causes a problem?
With pretty much every SDK update this triggers Avast and AVG. I think until they get enough reports their heuristics take a while to update. Since their heuristics seem to be particularly sensitive to this permission based on your analysis, I think it's best if we eliminate its inclusion as much as possible.