Malware Hits Apple App Store ‘For First Time Ever’

A malicious application has been found on both Apple’s App Store and Google Play, designed to steal users’ phonebooks and spam contacts.

According to Russian security giant Kaspersky, it marks the first time malware has been spotted on Apple’s iOS store, which has been largely unaffected by security problems since its launch five years ago.

If users download the ‘Find and Call’ app, the attackers spam all contacts with text messages containing a link to the application download page, as the malware seeks to propagate, Kaspersky discovered.

Spam messages claim to come from the original victim’s device, making it seem more legitimate and therefore making it more tempting to click on the link.

Rotten app in the Apple App Store?

The security company said it had informed Apple and Google, but had not received a response. Kaspersky was alerted to the spamming application by partner MegaFon, one of the major mobile carriers in Russia.

But users have vented their anger in the reviews sections for the app, noting how it was sending SMS spam.

As for the attackers’ end goal, they appear to be duping users of their money and their data. Users are asked to register in the app using email addresses and mobile numbers. The app’s website also asks users if they want to add social network accounts and PayPal to add money to their app account. The Trojan can also upload users’ GPS coordinates to the same server.

“Malware in the Google Play is nothing new but it’s the first case that we’ve seen malware in the Apple App Store. It is worth mentioning that there have not been any incidents of malware inside the iOS Apple App Store since its launch 5 years ago,” said Kaspersky Lab expert Denis Maslennikov, in a blog post.

“But the main issue here is user’s privacy again. It’s not for the first time when we see incidents related to user’s personal data and its leakage. And it’s for the first time when we have confirmed case of malicious usage of such data.

“We’re sure that both applications must be deleted from the official markets. Yes, these pieces of malware are not that ‘cybercriminalistic’. But malware is malware and in this case it steals user’s phone book and uses it for SMS spam. And we’re sure that there must be strict and quick response to such incidents. Period.”

Apple had not responded to a request for comment at the time of publication. Google said it had no comment on the specific matter, but offered the same comment as TechWeekEurope received for a story on other Android threats this week: “We are committed to providing a secure experience for consumers in Google Play, and in fact our data shows between the first and second halves of 2011, we saw a 40 percent decrease in the number of potentially-malicious downloads from Google Play. Last year we also introduced a new service into Google Play that provides automated scanning for potentially malicious software without disrupting the user experience or requiring developers to go through an application approval process.”

When TechWeekEurope checked their respective markets, Find and Call was still on the App Store and Google Play.

The promotional copy for the app claimed to offer “free calls from your mobile phone to domains, email, Skype, social networks”.

At the InfoSecurity 2012 conference earlier this year, Kaspersky’s CEO Eugene Kaspersky admitted to TechWeekEurope that if anti-virus products were allowed onto iOS, Apple would have to open the doors of its ‘walled garden’, which would in turn allow for more malicious activity its mobile devices. But not allowing anti-virus would cause more harm once hackers figured out how to get malware onto iPhones and iPads.

Apple’s confidence around the security of its laptops and desktops was hit this year, thanks to the Flashback malware, which infected over 600,000 Macs.

Android continues to be plagued by security issues, including a botnet and a rootkit discovered this week.

Keen on IT security? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • I wonder what negative impact this will have on other legitimate apps that have similar names and functions. Hopefully apps like ReadAndCall and others which are good don't receive unwarranted negative reactions. Many developers work hard to produce good Apps and one bad "apple" can ruin countless hours of good work.

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

13 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

15 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

16 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

17 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

20 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

21 hours ago