Malware hits the App Store

Antivirus researchers at Kaspersky say they’ve spotted an app known as “Find and Call” in both the iPhone App Store and Google’s Play market that secretly uploads all of a user’s contacts to a remote server and then sends text message and email spam to every number and email address listed in his or her phonebook.

I hate Malware. I wonder if Apple will change the way it does app reviews now that someone found a way to get through the walled garden?

  • Don’t the address book access controls in iOS 6 keep this from happening. The review process isn’t the problem, allowing apps to access personal data without the user first granting permission is the problem.

    • quietstorms

      It’s an SMS app so most, if not all, would probably grant it access to their contacts anyway. I don’t know how Apple can fix this but the problem is at their doorstep.

      • deviladv

        One simple way could be to include some kind of filter in the review process that looks for code accessing the address book and flag that app to see if it actually does anything meaningful with the phone book. But IANAAppReviewer so I’m only guessing.

        • The problem is that it’s meant to access your contacts. The website says the app is so that you can insert an email address and the app will figure out the phone number and call the person or business. I don’t know how it would work without uploading your contacts to their servers.

          The problem is how to review not only what the app code does, but also what the server code does.

      • The batman

        The same way kaspersky detected it. Install and then sniff the traffic over an open wifi connection.

        • quietstorms

          Kapersky found out after the app’s approval. The problem is that someone could keep the the malware dormant until it gets approval.

  • Hmm. Not in UK iOS app store now. Pulled already?

  • Well, this is not really any hack. iOS (until 5.x) does only protect location data; other data, like pictures, calendar events and contacts are freely accessible through public APIs. This is, at most, a blatant violation of the terms developers sign up to. Apple will remove it, if the claims are valid.

    Starting with iOS 6 the user will have to approve a lot of additional items per App, contacts are among those. This is a good thing, and, especially when it comes to contact data, it should have been there a long time ago. Especially since the contact data copying by the Aurora Feint app was the first bigger App Store ‘scandal’ all the way back in 2008.

  • LKM

    This isn’t the first time this has happened. Apple can’t prevent this in 100% of all cases, because there are so many things developers can do to sneak bad code into an app (e.g. change the app’s behavior after the application has passed review).

    But hopefully, the next time this happens in Google’s store, this will at least make Dalrymple think twice before making snarky comments about how bad Android is, how horrible open systems are, and how smart Apple is for having such high walls on its garden, and how justified they are in only letting iPhone owners get apps from the official App Store 🙂

    • quietstorms

      This has happened in the Google Market/Play store at least anywhere 60-100 times. This is just the store and not outside of it which is far worse. There is a difference between someone spamming you and someone pirating 21 popular apps (51 overall), adding root exploits to them and republishing them back onto the Market. And this was just one man.

      The App Store isn’t perfect but it’s a far cry from what’s happening on Android.

      • deviladv

        Hear, hear! I love when PC/Android fans come out and poke Apple for ONE exploit, and the exploit is always very simple, is caught and surpressed very quickly, and then is reported by the media because it’s exceptional. What makes for news and what makes for a problem are two very different things. The android market is rife with problems, but they are no longer news because it’s common knowledge.

        So far the only story on malware on an Apple device I was impressed with was the virus that exploited a java loophole, and that was because Apple got caught with it’s pants down.

        Here’s another way to think about this, it took someone 5 years to figure out how to make an app that allowed this to happen and with iOS 6, it should be much less of a problem.

    • Steven Fisher

      Right. Because something like this happening every two or three years is exactly like the swirling cesspool of malware on Android.

  • and we see why “yes/no” questions are theater. “I’d like to access your contacts, can I”

    “Um…i guess”



    “nor did I tell you. Welcome to playing by the letter of the lawspamspamspam”

    How do you defeat a 20′ wall? with a 20′ ladder.

    • deviladv

      You can’t build an infinitely high wall, you’re only choice is to make a 21 foot wall to defeat the 20 foot ladder until someone brings a 21 foot ladder to the fight. Sucks but such is reality.

  • stsk

    Am I the only one who finds it curious that Kaspersky Labs “finds” the only instance of iOS store malware, (Russian language only, of course), after “predicting” this would happen… (following Eugene Kaspersky getting slapped down for lying about his fictitious relationship with Apple)? Jeez, he must be psychic