If you’ve received unexpected, apparently-meaningless text messages from friends recently that have suggested that you download a particular app for your mobile device, you’ve probably had two responses. Firstly, you probably realized very quickly that you really shouldn’t download any software suggested by a friend in a text message because, come on, really. And secondly, you likely wondered, am I being spammed by my friend? The answer to that question is yes… and the reason why may just have been the Find and Call app.
Both Apple and Google have removed the app from their respective app stores after it was revealed by Kaspersky Lab’s Securelist that the app was, in fact, malware just waiting to take advantage of your phone’s address book to try and propagate itself as much as possible. “At first glance, this seemed to be an SMS worm spread via sending short messages to all contacts stored in the phone book with the URL to itself,” wrote Securelist’s Denis. “However, our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The ‘replication’ part is done by the server – SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.”
Once downloaded and opened, Denis explained, “the application steals data from the device (phone book and cell phone numbers) which are uploaded to a remote server to be used for SMS spam campaigns. Each phone book entry will receive SMS spam message offering to click on the URL and download this ‘Find and Call’ application. It is worth mentioning that the ‘from’ field contains the user’s cell phone number. In other words, people will receive an SMS spam message from a trusted source.”
In addition to information stolen from address books, the app also invited users to enter GPS co-ordinates, as well as login details to their various social network and email accounts, as well as additional services like PayPal. Russian blog AppleInsider.ru managed to track down the developer of the app, who claimed via email that the SMS messages were the result of a bug that had been discovered via beta testing and was in the process of being repaired.
As the Securelist report points out, although the malware is relatively benign – although it is essentially stealing your personal data for purposes unknown, which doesn’t feel entirely benign – it’s a disturbing milestone for Apple, being the first instance of malware available through the Apple App Store. Unsurprisingly, Find and Call was removed from both Apple App Store and Google Play soon after the companies became aware of the problem.