A malicious app that made its way into Apple's App Store, and if downloaded then went ahead and uploaded a user's phonebook to a remote server, has been removed by Apple. It's believed that the app was the first significant piece of malware to land in the App Store in the four years since it opened.
The app, a contacts utility program named, "Find and Call," was ejected from the App Store by Apple late Thursday. "Find and Call" also found its way into Android's Google Play store, and Google removed it from there as well Thursday.
Kaspersky Lab discovered the perils of "Find and Call," which includes a Trojan to do the dirty work. Once the user launches the app, Kaspersky says, "he will be asked to register in the app using his email address and cellphone number (both fields won’t be checked for validity). If user wants to 'find friends in a phone book' his phone book data will be secretly (no EULA/ terms of usage/notifications) uploaded" to a remote server.
The user, Kaspersky says, will be able to continuing using the app, but at the same time:
... the application steals data from the device (phone book and cellphone numbers) which are uploaded to a remote server to be used for SMS spam campaigns. Each phone book entry will receive SMS spam message offering to click on the URL and download this ‘Find and Call’ application. It is worth mentioning that the ‘from’ field contains the user’s cellphone number. In other words, people will receive an SMS spam message from a trusted source.
"Although there have been plenty of reports of Android malware, attacks targeted towards iPhone and iPad users are much much rarer," noted Vanja Svajcer, SophosLabs principal virus researcher on that company's blog.
Svajcer wrote that "Clearly Apple's 'rigorous' screening of apps before they're allowed in the App Store wasn't quite rigorous enough in the case of the 'Find and Call' app, as it was able to slip through the net."
Trudy Muller, an Apple spokeswoman, told Wired that the app was removed "due to its unauthorized use of users’ address book data, a violation of App Store guidelines." We contacted Apple for comment, and will update this post if we hear back.
Svajcer of SophosLabs wrote that it's probably "more accurate" to say that the app is " 'spammy' — as it leaks data all over the place in plain text via http (which means, of course, that the data could be intercepted and sniffed by someone wanting to snoop on you)."
While Apple and Google were quick to remove the app, he wrote, "Obviously it would have (been) even better if the app's lax respect of users' privacy had been spotted in the first place, and they had never been allowed into those online stores."