View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 6, 2012

Trojan app infiltrates Apple App Store

Find and Call uploaded user's entire contacts list and sent out spam texts

By Steve Evans

A malicious app has made it through Apple’s defences and on to the App Store, according to new research.

It is thought to be the first time something like this has happened, as Apple’s walled garden approach is supposed to ensure a higher level of security. The same app has been discovered in Android form on the Google Play store.

Details of the app were revealed by Kaspersky Lab. The app, called "Find and Call," uploads the user’s entire contacts book to a server and also sends out a text message that encourages contacts to also download the app.

Kaspersky research said the app initially seemed more like an SMS worm, but further analysis revealed it was something more sinister.

"Our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server," wrote Kaspersky Lab Expert Denis Maslennikov.

"The ‘replication’ part is done by the server – SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book," he said, adding that the SMS that is sent out will be from the user’s number, so anyone receiving the message will think it is from a trusted source.

The app has been pulled from both the App Store and Google Play.

Content from our partners
The hidden complexities of deploying AI in your business
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail
When it comes to AI, remember not every problem is a nail
An evolving cybersecurity landscape calls for multi-layered defence strategies
An evolving cybersecurity landscape calls for multi-layered defence strategies

Russian blog AppleInsider.ru claimed to have spoken to the company behind the app, who said Find and Call was in beta mode and the "bug" that resulted in contacts being uploaded and spam messages sent out is in the process of being fixed.

While spam and malicious apps are nothing new when it comes to Android, there has not been a documented case so far of one hitting the iOS App Store. The company has in place a strict approval process that is supposed to mean apps like this don’t get through, but this one clearly slipped through the net.

Having said that, legitimate social app Path caused controversy earlier this year when it was discovered to be uploading user contacts to its servers without asking permission. The company claimed this was designed to help users find their contacts on the service faster, but still decided to wipe data it had collected and changed its processes.

Websites in our network
The New Statesman Press Gazette Spears World of Fine wine Elite Traveler Leadmonitor
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU