Yesterday we were contacted by our partner MegaFon, one of the major mobile carriers in Russia. They notified us about a suspicious application, which was found in both the Apple App Store and Google Play. At first glance, this seemed to be an SMS worm spread via sending short messages to all contacts stored in the phone book with the URL to itself.
However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.
The application is called ‘Find and Call’ and can be found in both the iOS Apple App Store and Android’s Google Play. We’ve already informed both Apple and Google but we haven’t received an answer yet.
Find and Call in the Apple Store
Find and Call in the Google Play
All user comments (both in Apple Store and Google Play) are pretty angry and contain the same complaint that the app sends SMS spam:
After the installation the following icon appears in the menu of Android/iOS homescreen:
If user launches this application he will be asked to register in the app using his email address and cell phone number (both fields won’t be checked for validity). If user wants to ‘find friends in a phone book’ his phone book data will be secretly (no EULA/ terms of usage/notifications) uploaded to remote server in the following format:
Here are the routines used for uploading phone book to remote server:
List of fields retrieved from the phonebook:
Both apps are also able to upload user’s GPS coordinates to the same server but such ‘feature’ is not that new for both malicious and legal apps to be honest.
So, what happens next? User will be able to continue using the application but at the same time the application steals data from the device (phone book and cell phone numbers) which are uploaded to a remote server to be used for SMS spam campaigns. Each phone book entry will receive SMS spam message offering to click on the URL and download this ‘Find and Call’ application. It is worth mentioning that the ‘from’ field contains the user’s cell phone number. In other words, people will receive an SMS spam message from a trusted source.
SMS spam message (‘Now I’m here and it’s easier to reach me with the help of free application [URL]’)
Both apps upload user’s phone book to remote server and use it for SMS spam. That’s why we detect them as Trojan.AndroidOS.Fidall.a and Trojan.IphoneOS.Fidall.a
Good question. There are actually some more interesting details. The website of this app allows you (after logging in to your account) to ‘enter’ your social network accounts, mail accounts (it seems that these details will also be used) and even PayPal (!) to add money to your account.
If you try to add some amount of money, you will notice that you’re trying to transfer money to a company called ‘LABWEALTH.COM PTE. LTD.’
If you check their website, 'labwealth.com', you’ll find a company based in Singapore named 'Wealth Creation Laboratory'. Yeah, right! This company, by the way, has really nice motto: 'Let's create together the world of plenty and prosperity!'
Malware in the Google Play is nothing new but it’s the first case that we’ve seen malware in the Apple App Store. It is worth mentioning that there have not been any incidents of malware inside the iOS Apple App Store since its launch 5 years ago. But the main issue here is user’s privacy again. It’s not for the first time when we see incidents related to user’s personal data and its leakage. And it’s for the first time when we have confirmed case of malicious usage of such data.
We’re sure that both applications must be deleted from the official markets. Yes, these pieces of malware are not that ‘cybercriminalistic’. But malware is malware and in this case it steals user’s phone book and uses it for SMS spam. And we’re sure that there must be strict and quick response to such incidents. Period.
Many thanks to my colleagues Igor Soumenkov, Aleks Gostev, Sergey Golovanov, Roman Unuchek and Costin Raiu. And also I would like to thank iPad 2, Samsung Galaxy SIII and iPod Touch.
Russian blog AppleInsider.ru published the story about same application. They were able to connect with the author of Fidall and received the following response:
Re: Application work
July 5, 2012. 12:10
System is in process of beta-testing. In result of failure of one of the components there is a spontaneous sending of inviting SMS messages. This bug is in process of fixing. SMS are sent by the system, that is why it won't affect your mobile account.
Email spam confirmed
4:13 PM Thursday (GMT) Contrary to some public reports, the malicious iOS and Android applications are still available for downloads in the markets.
Both apps were removed from Apple Store/Google Play
There is one more curious detail about Fidall. You can find in the code such magic hexadecimal values as '0xBEEFDEAD' or '0xFACEDEAD' (see screenshot below).
'Creating' phrases with hexadecimal numbers is not new. And in many cases such things have been noticed in different malicious applications.
2012 Jul 05, 22:11
Re: Find and Call: Leak and Spam
2012 Jul 05, 23:56
Not the 1st
This isn't the first iOS app to send your contact list back to their servers in plain text. Aurora Feint was one of the first to do it in 2008, and it was pulled. Recently "Path" came under fire for the same practice. So either this isn't the first malware, or Apple's record is still intact.
Re: Not the 1st
This is correct. LinkedIn also had a bigger issue calendar fact it leaked out users' meeting passcodes.
Still, in this case it appears the author actually used such information for malicious activity.
2012 Jul 09, 11:44
The website, labwealth.com, is found at ip 188.8.131.52. There are 73 domains located at this IP, none of which looks that serious but all is about business in Singapore. The technical contact for the domain, email@example.com, is assosiated with 6 other domains; svantech.com, ecoxplore.com,