Did a piece of malware sneak into Apple's iTunes App Store?
That's what security experts were debating after Kaspersky Lab's Denis Maslennikov said yesterday (July 5) that a Trojan horse — malicious software that pretends to be something innocuous — had gotten past Apple's famously tough App Store vetting process, which has never before let in real malware.
"The application is called 'Find and Call' and can be found in both the iOS Apple App Store and Android’s Google Play," Maslennikov wrote in a blog posting. (The app has since been removed from both app stores.)
Secret file copying
Find and Call, made by a Russian firm, claims to be an app that lets you make phone calls by simply typing in or clicking a contact's email address or social-network handle — admittedly a useful idea.
"In order to call somebody from your mobile phone, you can use an email address, a domain name, a profile address in a social network, etc., instead of a phone number just as easily," states the Find and Call official website.
But Maslennikov said Find and Call also copies a user's entire address book to its own servers, and sends out spam text messages to everyone in the address book imploring them to also install the app.
Screenshots of complaints by angry Russian users in the iOS App Store and Google Play, and Maslennikov's own screenshots of code within the app, support his assertion.
Nowhere in Find and Call's terms of use does it say that the app will copy your address book or send out text messages to your friends, Maslennikov said.
An email from Find and Call support staff to the Russian site AppleInsider.ru stated that the sending of "inviting SMS messages" was a "bug in process of fixing."
Harmful or not?
Sophos Labs' Vanja Svajcer had doubts about whether this behavior really was malicious, or just annoying.
"I'm not sure I 100 percent agree with Kaspersky that it is malware," Svajcer wrote on Sophos' Naked Security blog. "It would probably be more accurate to say that the 'Find and Call' app is 'spammy.'"
A commenter on Maslennikov's blog posting pointed out that Path, a well-known social-networking app for iPhones and iPads, had been caught also uploading users' address books to its servers in February of this year.
After that incident, Apple said it would make sure that new apps would no longer be allowed to do so. It wasn't clear whether Find and Call's address-book-copying function pre-dated Apple's new guidelines.
Path didn't send out spam promoting itself, but other online services have done so in the past. Doostang, a business-networking social site, got negative publicity in 2008 for sending emails to everyone in a new user's address book.
Still a black mark for Apple security
Whether or not Find and Call really is malware — Svajcer pointed out that real cybercriminals wouldn't create an app that was actually useful, or a helpful website to promote it — the fact that it is so spammy and violates users' privacy so blatantly is a bit of a failure on the part of Apple's app-checkers, who should have able to catch Find and Call before it was released.
After all, the source code clearly shows what it does with the address book and the text messages, as Maslennikov showed. And the spammy and intrusive behavior is a clear violation of the full-disclosure rule in both the Apple App Store and Google Play.
To make sure you don't get mobile malware on your smartphone, don't jailbreak your iPhone or iPad unless you really know what you're doing. As for Android users, stick to apps from Google Play or Amazon's app store, and make sure you install robust mobile anti-virus software.