Security firm Kaspersky Labs reported today that it had been alerted to an app that was available on both Apple’s App Store, and the Google Play store for Android that would harvest users’ address book contacts and then send them to the developers servers for use in text spam.
The developer’s systems were then sending text messages to those contacts advertising the application, with the “From” field being spoofed with the original user’s mobile phone number.
While the application, Find and Call, was available in App Stores around the world, it primarily targeted Russian users due to its use of the Russian language in the app description. While this is not the first incident of personal information being transmitted inappropriately from apps, it does appear to be the first time the information has been used in this manner.
From Macworld: “Once installed, the app asks you to register your phone number and email address. Find and Call will also ask if you want to “find friends in a phone book” before discretely uploading your entire contact list to a remote server. The app will continue to upload your contacts, and will SMS messages to those people that contain a link to download the app themselves. These SMS messages show up as if they were sent from your number, so the recipients are much more likely to click on the link.”
Kaspersky also notes that spam invites are also being sent via email. A user who was able to get in touch with the app’s authors reports that the author claims the behavior is a bug, although that explanation seem suspect.
It now seems that Apple has removed the app from its App Store, as a search of the App Store shows no results for the app. It had been available in the App Store since June 13th.
Malware in the Google Play store isn’t anything new, but it’s certainly scary to see an app like this make it out onto the iOS App Store. It makes you wonder how an app like this made it into the wild, and how many similar apps have slipped over the wall.
Remember, practice safe computing. If an app looks suspicious, don’t download it.
UPDATE: From The Loop: “The Find & Call app has been removed from the App Store due to its unauthorized use of users’ Address Book data, a violation of App Store guidelines,” an Apple representative told The Loop.