How to get detailed information about virus threat, when F-Secure SAFE Android detects one?

asserp
asserp Posts: 3 New Member
edited September 30 in F-Secure SAFE

Hi,

F-Secure safe reported with Google meet, that it is infected with virus. I uninstalled and reinstalled that from Google Play Store with equal result. So I am quite sure that this is a false positive, because I am quite sure Google would not release harmful packages of packages they by them-self create. Maybe heuristics has detected potential harmful coding pattern and not something like virus?

However, what is really bothering me with this program is, that it only shows a virus found, now please delete program, but gives me no indication, why and what is detected. I tried to search settings for advanced mode, or how to activate what is shown about details, but found no such settings.

I have another example of this with a package for Chinese voltage control program outside Google Play and all details shown about that thread is also word: “a Virus!” without any details. This program could be harmful, but now I cannot check it. Can you give so info about "DPS5020\DPS(H) Series_V1.0.8.apk", have you found this apk to have included viruses?

Could you please make a simple information addition, where at least the tread name would be visible, or is it a heuristic code analysis result? It would be nice to click that name, which would redirect in your site for more information about that current suspection.

Also it would be nice to check selected files/folders with F-Secure in Android device. Or have I just not found it?

Accepted Answer

  • Jaims
    Jaims Posts: 860 Former F-Secure Employee
    Answer ✓

    Hi @asserp

    Our security products recently had a False Positive related flag for Google Meet but has been fixed and all engine and cloud returned clean. Please test again and let us know if you still face this issue.

    As for the mentioned APK from the third party store, we found this DPS(H) Series 1.0.8 Android APK with the hash a0044575f5b2d8c08d52267f5b6de374fe39007c but no detection found on that sample. Other way to check whether this is the exact APK/hash that you experienced is if you send us the logs which should contain the hash.

    Here's how to generate and send us the log from an Android device;

    1. Open the F-Secure SAFE application on your Android device
    2. Open the menu from the upper left-hand corner
    3. Choose About
    4. Click on the version number (at least) 7 times
    5. Scroll down and press Send log file
    6. Send the log file to the predefined email address with the preferred email application
    7. If you have any other attachments (e.g. screenshots) you may add those to the same generated email
    8. Reply to the support request with the information that you have sent the diagnostic log file
    FirmyAmirul

Answers

  • asserp
    asserp Posts: 3 New Member

     Thank you for your response, Jaims!

    Sorry for late response, I forgot this almost totally... I found the log, where it was stated harmful. It was at 2021-12-26. The next automatic detection at 2021-02-19 did not find it harmful. However, I was not able to download, that file directly from Google Drive at Android to its local drive, but that may be Android security policy restriction (.apk-file), because F-secure did not complain anything anymore. I send the logs with the advice you gave and linked this conversation into it.

    I calculated the hash with MD5, SHA-1, SHA-256 , SHA-512 and some other for that file, but those did not match the hash that you send. This is what I got with one Windows tool:

    Name: DPS(H) Series_V1.0.8.apk

    Size: 3820985 bytes (3731 KiB)

    CRC32: 363C551D

    CRC64: 42A3DC9CA8EB7C68

    SHA256: AABC04E7DF98B42FC47472C1BDCE82EDD20ED434FC784C1B05DA21C7A5F9DB24

    SHA1: 0C6E7015DD9F86F5F112A27C1C4D809A571F2765

    BLAKE2sp: 0CB43724DA055600D6C9AC947B7DF43B2BCA7E4F1A1644DFD5ABF77E0A1DE414

  • Jaims
    Jaims Posts: 860 Former F-Secure Employee

    Hi @asserp

    We managed to get detection details for this sample. First of all, this sample should not be detected now as it is now identified as safe. Then for the detection on the date (26-12-2021) you mentioned, the detection name is Riskware:Android/GenericAI.100!fsmind. It is just a generic PUA (Potentially Unwanted App) detection from MindControl.

    Regarding the issue where SAFE mobile is not showing the detection name, do you mind if we create a ticket and follow up with you via email as we would need our product team to have a look?

    Amirul
  • asserp
    asserp Posts: 3 New Member

    Hi Jaims,

    Thank you! Yes, you may create a ticket. I can send you eg. screenshot of this if that helps, but currently at check history, when I open one identification, there is orange question mark and text identification , but the description is just “Problems identified: Potentially unwanted file”. I have F-secure in Finnish so I translated that to English.

This discussion has been closed.
Pricing & Product Info