When one downloads an app from the iOS App Store, they do so with an assurance that the application would be devoid of any malware. However, this fact now seems to be questionable, as Russian security firm Kaspersky Lab recently reported that they were contacted about an app called Find & Call that was available in both the Google Play as well as the Apple App Store that was secretly storing data from users’ address book and sending information to the app’s developer’s server. This information from the server was then sending spam in the form of advertising of the application to the users’ contacts and the from field was that of the users’ mobile number.
Find & Call is the first ever iOS malware
The report by Kaspersky Lab states that they initially believed it was an SMS worm that was sending these messages to all the users’ contacts; however, after researching the situation, they discovered that it was a Trojan Horse that was uploading the users’ phonebook to a remote server. They explain this by stating that the replication part was being carried out by the server that sent SMS messages with the application’s URL. Upon installation of the app, a user was prompted to fill out their mobile number as well as e-mail address. The report states, “If user launches this application he will be asked to register in the app using his email address and cell phone number (both fields won’t be checked for validity). If user wants to ‘find friends in a phone book’ his phone book data will be secretly (no EULA/ terms of usage/notifications) uploaded to remote server.”
The report goes on to state, “Malware in the Google Play is nothing new but it’s the first case that we’ve seen malware in the Apple App Store. It is worth mentioning that there have not been any incidents of malware inside the iOS Apple App Store since its launch 5 years ago. But the main issue here is user’s privacy again. It’s not for the first time when we see incidents related to user’s personal data and its leakage. And it’s for the first time when we have confirmed case of malicious usage of such data.”
The report goes on to state that the developer of the app had been contacted regarding this malicious application and he stated that the Find & Call app’s system was still in its beta testing phase and in result there was a failure of one of the components spontaneously sending the inviting SMS messages. The developer went on to state that this bug is in the process of being fixed.
Apple later on responded to this malware by contacting The Loop and issued a statement that said, “The Find & Call app has been removed from the App Store due to its unauthorized use of users’ Address Book data, a violation of App Store guidelines.”
With iOS 6, Apple has been working on limiting third party applications from accessing personal data and they have started issuing enhanced permission requirements that notify users whenever their personal data is being accessed. So hopefully this sort of malware does not appear again.