A mobile app with Trojan-like features that sends user contact lists to a remote server has been yanked from Google and Apple's digital stores.
Google and Apple have pulled an app
from their mobile app stores after it was revealed it was sending user contact
lists to a remote server and spamming the contacts with messages.
The app, named "Find and Call,"
claimed to be an app that helps users organize their address book. However, the
app actually takes the users contact list and uploads it to a remote server.
An analysis of the iOS and Android
versions of the application by security software company Kaspersky Lab showed
its really a Trojan that replicates by the server sending Short Message
Service (SMS) texts containing the applications URL to all the contacts in the
users address book, according to Denis Maslennikov, senior malware analyst
with Kaspersky Lab.
When the app launches, the user will
be asked to register by entering his or her email address and cell phone
number, Maslennikov explained. If the user chooses to find friends in a phone
book, then the persons phone book data will be secretly sent to the remote
Both apps are also able to upload the
users GPS coordinates to the same server but such [a] feature is not that
new for both malicious and legal apps to be honest, he blogged. So, what
happens next? [Users] will be able to continue using the application, but at
the same time the application steals data from the device ¦ which are uploaded
to a remote server to be used for SMS spam campaigns. Each phone book entry
will receive an SMS spam message offering to click on the URL and download this
Find and Call application. It is worth mentioning that the from field
contains the users cell phone number. In other words, people will receive an SMS
spam message from a trusted source.
According to a report from the blog Appleinsider.ru
, the makers of the
application say the situation is due to a bug that is being fixed.
Vanja Svajcer, principal virus
researcher at Sophos, wrote that he wouldnt
necessarily call the application
malware, opting instead to refer to it as spammy.
It would probably be more accurate
to say that the "Find and Call" app is "spammy"as it leaks
data all over the place in plain text via http (which means, of course, that
the data could be intercepted and sniffed by someone wanting to snoop on you),
Once the contact details are
uploaded from the affected smartphone, there is some server-side code that
sends each contact an SMS message with a link to the download location of the
app. In this way, the app promotes itself to all of your contacts. That's
pretty ugly behavior, as there are no previous warnings or explanations for the