Find and Call uploaded user’s entire contacts list and sent out spam texts
A malicious app has made it through Apple’s defences and on to the App Store, according to new research.
It is thought to be the first time something like this has happened, as Apple’s walled garden approach is supposed to ensure a higher level of security. The same app has been discovered in Android form on the Google Play store.
Details of the app were revealed by Kaspersky Lab. The app, called "Find and Call," uploads the user’s entire contacts book to a server and also sends out a text message that encourages contacts to also download the app.
Kaspersky research said the app initially seemed more like an SMS worm, but further analysis revealed it was something more sinister.
"Our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server," wrote Kaspersky Lab Expert Denis Maslennikov.
"The ‘replication’ part is done by the server – SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book," he said, adding that the SMS that is sent out will be from the user’s number, so anyone receiving the message will think it is from a trusted source.
The app has been pulled from both the App Store and Google Play.
Russian blog AppleInsider.ru claimed to have spoken to the company behind the app, who said Find and Call was in beta mode and the "bug" that resulted in contacts being uploaded and spam messages sent out is in the process of being fixed.
While spam and malicious apps are nothing new when it comes to Android, there has not been a documented case so far of one hitting the iOS App Store. The company has in place a strict approval process that is supposed to mean apps like this don’t get through, but this one clearly slipped through the net.
Having said that, legitimate social app Path caused controversy earlier this year when it was discovered to be uploading user contacts to its servers without asking permission. The company claimed this was designed to help users find their contacts on the service faster, but still decided to wipe data it had collected and changed its processes.