Threat Descriptions

Riskware:Android/Fidall.A

Classification

Category :

Riskware

Type :

Riskware

Platform :

Android iOS

Aliases :

Fidall.A

Summary

Fidall.A searches for contact details from the user's contact list, and synches the information with a remote server.

Removal

Once the scan is complete, the F-Secure security product will ask if you want to uninstall the file, move it to the quarantine or keep it installed on your device.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Distributed under the name Find and Call, this program first requests the user to register by providing their email address. It then searches for emails, addresses, and phone numbers from the user's contact list. This information is then synched with a remote server. Once synched, the server will send an SMS message containing a link to download the application to the contacts, which is essentially a spam. The SMS messages reportedly contain the user's phone number in the 'From' field.

Fidall.A's icon and request for the user to provide an email address

Another issue concerning Fidall.A is that the data transmitted between the device and the remote server is in plain text, which easily exposes the content if intercepted by another party.

The application is also fully capable of synching with the contacts from the user's email, Facebook, and Skype accounts. The application's website also reportedly allows user to enter their social network and online payment merchant details.

At the time of writing, both the Apple App Store and Google Play have removed the application. This incident marks the first time the Apple App Store has had to remove a trojan from its market.