Not long ago, Mac users across the world were horrified to learn that over half a million Apple computers had been infected by the Flashback malware. It was something of a wake-up call, and a cruel reminder that nothing is safe from malicious programmers. Now, a nasty app called Find and Call on the App Store might do the same for iOS.
The app appeared in both the Google Play store and the Apple App Store. It was outted yesterday by Kaspersky security researchers after receiving a tip from Russian phone company MegaFon. Users were complaining of spam texts advertising the app that appeared to be coming from legitimate users. Kaspersky dug into the app and discovered that not all was what it seemed.
Once installed, Find and Call copied the phone’s address book and uploaded it to a remote server. Then, it prompted users to enter their email and phone number for verification purposes — the app claimed that this information would be used to connect with Facebook. When the data was copied, the server would begin to send out spam email and text messages which used the phone number or email entered by the user as the originating source, thus making them appear legitimate.
Strangely, the app does not appear to be doing anything more than marketing itself very, very aggressively. However, Kaspersky researcher Denis Maslennikov says that this doesn’t matter. From his blog post:
Yes, these pieces of malware are not that ‘cybercriminalistic’. But malware is malware and in this case it steals user’s phone book and uses it for SMS spam. And we’re sure that there must be strict and quick response to such incidents. Period.
To their credit, the Apple store behaved exactly as predicted and quickly pulled the app yesterday. In a statement obtained by The Loop, Apple said:
“The Find & Call app has been removed from the App Store due to its unauthorized use of users’ Address Book data, a violation of App Store guidelines,”
The app has also been removed from the Google Play store.
In their research, Kaspersky noted that a PayPal donation option on the app’s website would transfer funds to “LABWEALTH.COM PTE. LTD.” This turned out to be a company called Wealth Creation Laboratory, and sported a Singapore address. Forbes writer Andy Greenberg was able to contact the company’s “director and co-founder” Sergey Bogatyrev, who claimed ignorance of the app and could not explain why the PayPal site was connected to his company.
While many sites are claiming that this is the “first” Trojan on the App Store, commenters on the Kaspersky website pointed to the game Aurora Feint. When the game was released in 2008, users could opt-in to a “community feature” that would transfer your address book as plain text and look for friends you might already know. While similar, and breathtakingly insecure, the key difference here is that Feint didn’t trick users. They also didn’t send them spam texts.
For their part, Kaspersky notes that this is the first time they’ve seen this kind of spamtastic malware on the App Store (they also note that malware seems to be more of a regular occurrence on the Android Store). However, iOS users can take heart that while Apple and security researchers didn’t notice this app when it went live back on June 13, their fellow users sure did. Prior to its being pulled from the App Store, Russian users had given it 28 one-star ratings, and ranted about its malware tactics in their reviews.
As always, no platform is 100% secure, and if you see a very, very low-rated app, remember that it might be garbage. It might also be smart to avoid apps with descriptions in Russian — unless you’re very confident, or read Russian.
- Apple calls in Kaspersky Labs to make it more security conscious
- Flashback shrinking rapidly, or not rapidly enough
- 1 in 5 Macs contain Windows malware