In a first for the Apple App Store for iOS, malware has been detected amongst all the nice friendly apps on offer. The malware was available to download from both the Apple App Store for iOS and the Google Play store, for Android devices, but has now been removed. The Russian language trojan app was advertised as a contacts list utility called “Find and Call”.
Find and Call’s apparent mal-purpose was to steal the user’s contacts list and to spam them with text messages and emails, apparently from a trusted friend. The app also read and saved the user’s GPS coordinates.
Kaspersky Labs say the app did ask for permission to “find friends” but users are used to accepting many permissions requests from apps without paying too much attention. Also, being a contact list utility such permissions may be understandable. However it didn’t take long for user reviews in the reviews section of the app page to reflect that the Find and Call app was not working in the downloader’s best interest, particularly noticeable was the SMS spam.
Wired magazine got a quote from Apple spokesperson Trudy Muller regarding the malware; “The Find and Call app has been removed from the App Store due to its unauthorized use of users’ address book data, a violation of App Store guidelines.” Understated, considering this is the first piece of malware found in the iOS App Store during 5 years existence.
The Find and Call app has an associated web site that allows users to enter social network account details, IM logins, email addresses and even use your PayPal account with which to “credit your account”. I hope no one actually went that far. However the app developer has emailed a statement to AppleInsider.ru claiming his app isn’t malware and the spamming is caused by a bug “System is in process of beta-testing. In result of failure of one of the components there is a spontaneous sending of inviting SMS messages. This bug is in process of fixing. SMS are sent by the system, that is why it won’t affect your mobile account.” Good luck to him bug fixing and re-submitting the app for inclusion in the App Store…
Android botnet update
Earlier in the week we reported on the first spamming botnet harboured on Android devices. In a new development, reported today on the BBC News site, Google are denying that such a botnet exists and that Microsoft’s Terry Zink and also Sophos are mistaken in their reports from earlier in the week. However Chester Wisniewski at Sophos is sticking to his guns and saying “Many, including Google, have suggested the messages are forged. We see no evidence of this. The messages are delivered to our spam traps from genuine Yahoo! servers with valid DKIM signatures.” Also the spam is largely from cellular networks. However the mystery of the true source shall remain for now.