The app, dubbed "Find and Call," was more akin to "leak and spam," said Denis Maslennikov, a security researcher at Kaspersky Lab, who detailed the malicious apps--pitched to Russian-language iPhone and Android users--in a blog post. Both Apple and Google Thursday removed the offending versions of the application.
"Malware in the Google Play is nothing new but it's the first case that we've seen of malware in the Apple App Store," said Maslennikov. "It is worth mentioning that there have not been any incidents of malware inside the iOS Apple App Store since its launch five years ago. But the main issue here is user's privacy--again."
When it comes to accessing people's address books, there's been a gray line between malicious smartphone apps and well-known apps code that grab address books in the name of "social networking functionality." Notably, security researchers earlier this year found that Hipster and Path, among other smartphone apps, uploaded users' address books to servers controlled by developers, as part of their "find friends" feature. In response, the developers promised to obtain explicit permission from users before grabbing any of their address book information.
[ Problems have plagued the Apple App Store recently. Read Apple's App Store Distributes Corrupted Updates . ]
But Maslennikov said that the Find and Call app clearly was malicious. Interestingly, reviews of the app on the Apple App Store date to at least June 23, 2012, and were far from favorable, with many users complaining--likewise on the app's Google Play download page--that rather than providing a free calling service, the app was instead sending SMS spam to their address book contacts.
The app's end user license agreement (EULA), however, makes no mention of the app potentially sending a copy of a user's address book to a remote server, or the fact that it can record a user's GPS coordinates. "If user launches this application he will be asked to register in the app using his email address and cell phone number," Maslennikov said. "If [the] user wants to 'find friends in a phone book,' his phone book data will be secretly--no EULA/terms of usage/notifications--uploaded to remote server."
The remote server then sent the spam messages--via SMS--to every contact in a user's address book, listing that user's cell phone number in the "from" field, meaning the messages actually appear to have come from the user. Inside the body of the message, meanwhile, contained a URL link for downloading the Find and Call application.
Maslennikov said the URL was tied to a website that offers users the ability to add money via PayPal to an account on the site. "If you try to add some amount of money, you will notice that you're trying to transfer money to a company called 'LABWEALTH.COM PTE. LTD,'" he said. The Labwealth.com website is run by a Singapore-based company with this tagline: "Let's create together the world of plenty and prosperity!"
One Find and Call user detailed his related experiences on Russian news outlet AppleInsider.ru, saying that after providing his email address and cell phone number to the iPhone version of the app, it then sent spam SMS messages, hawking the app, to all of his contacts.
AppleInsider.ru then made contact with the developer of the app, who claimed that the spam messages had been sent in error. "The system is in the process of beta-testing. As a result of the failure of one of the components, there is a spontaneous sending of SMS invitation messages. This bug is being fixed. The SMS are sent by the system, which is why it won't affect your mobile account," replied the developer, in text translated from Russian.
Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)