Google and Apple have pulled an app from their mobile app stores after it was revealed it was sending user contact lists to a remote server and spamming the contacts with messages.
The app, named "Find and Call," claimed to be an app that helps users organize their address book. However, the app actually takes the users contact list and uploads it to a remote server.
An analysis of the iOS and Android versions of the application by security software company Kaspersky Lab showed its really a Trojan that replicates by the server sending Short Message Service (SMS) texts containing the applications URL to all the contacts in the users address book, according to Denis Maslennikov, senior malware analyst with Kaspersky Lab.
When the app launches, the user will be asked to register by entering his or her email address and cell phone number, Maslennikov explained. If the user chooses to find friends in a phone book, then the persons phone book data will be secretly sent to the remote server.
Both apps are also able to upload the users GPS coordinates to the same server but such [a] feature is not that new for both malicious and legal apps to be honest, he blogged. So, what happens next? [Users] will be able to continue using the application, but at the same time the application steals data from the device ¦ which are uploaded to a remote server to be used for SMS spam campaigns. Each phone book entry will receive an SMS spam message offering to click on the URL and download this Find and Call application. It is worth mentioning that the from field contains the users cell phone number. In other words, people will receive an SMS spam message from a trusted source.
According to a report from the blog Appleinsider.ru, the makers of the application say the situation is due to a bug that is being fixed.
Vanja Svajcer, principal virus researcher at Sophos, wrote that he wouldnt necessarily call the application malware, opting instead to refer to it as spammy.
It would probably be more accurate to say that the "Find and Call" app is "spammy"as it leaks data all over the place in plain text via http (which means, of course, that the data could be intercepted and sniffed by someone wanting to snoop on you), he blogged.
Once the contact details are uploaded from the affected smartphone, there is some server-side code that sends each contact an SMS message with a link to the download location of the app. In this way, the app promotes itself to all of your contacts. That's pretty ugly behavior, as there are no previous warnings or explanations for the user.