Malware Hits Apple App Store ‘For First Time Ever’

A malicious application has been found on both Apple’s App Store and Google Play, designed to steal users’ phonebooks and spam contacts.

According to Russian security giant Kaspersky, it marks the first time malware has been spotted on Apple’s iOS store, which has been largely unaffected by security problems since its launch five years ago.

If users download the ‘Find and Call’ app, the attackers spam all contacts with text messages containing a link to the application download page, as the malware seeks to propagate, Kaspersky discovered.

Spam messages claim to come from the original victim’s device, making it seem more legitimate and therefore making it more tempting to click on the link.

Rotten app in the Apple App Store?

The security company said it had informed Apple and Google, but had not received a response. Kaspersky was alerted to the spamming application by partner MegaFon, one of the major mobile carriers in Russia.

But users have vented their anger in the reviews sections for the app, noting how it was sending SMS spam.

As for the attackers’ end goal, they appear to be duping users of their money and their data. Users are asked to register in the app using email addresses and mobile numbers. The app’s website also asks users if they want to add social network accounts and PayPal to add money to their app account. The Trojan can also upload users’ GPS coordinates to the same server.

“Malware in the Google Play is nothing new but it’s the first case that we’ve seen malware in the Apple App Store. It is worth mentioning that there have not been any incidents of malware inside the iOS Apple App Store since its launch 5 years ago,” said Kaspersky Lab expert Denis Maslennikov, in a blog post.

“But the main issue here is user’s privacy again. It’s not for the first time when we see incidents related to user’s personal data and its leakage. And it’s for the first time when we have confirmed case of malicious usage of such data.

“We’re sure that both applications must be deleted from the official markets. Yes, these pieces of malware are not that ‘cybercriminalistic’. But malware is malware and in this case it steals user’s phone book and uses it for SMS spam. And we’re sure that there must be strict and quick response to such incidents. Period.”

Apple had not responded to a request for comment at the time of publication. Google said it had no comment on the specific matter, but offered the same comment as TechWeekEurope received for a story on other Android threats this week: “We are committed to providing a secure experience for consumers in Google Play, and in fact our data shows between the first and second halves of 2011, we saw a 40 percent decrease in the number of potentially-malicious downloads from Google Play. Last year we also introduced a new service into Google Play that provides automated scanning for potentially malicious software without disrupting the user experience or requiring developers to go through an application approval process.”

When TechWeekEurope checked their respective markets, Find and Call was still on the App Store and Google Play.

The promotional copy for the app claimed to offer “free calls from your mobile phone to domains, email, Skype, social networks”.

At the InfoSecurity 2012 conference earlier this year, Kaspersky’s CEO Eugene Kaspersky admitted to TechWeekEurope that if anti-virus products were allowed onto iOS, Apple would have to open the doors of its ‘walled garden’, which would in turn allow for more malicious activity its mobile devices. But not allowing anti-virus would cause more harm once hackers figured out how to get malware onto iPhones and iPads.

Apple’s confidence around the security of its laptops and desktops was hit this year, thanks to the Flashback malware, which infected over 600,000 Macs.

Android continues to be plagued by security issues, including a botnet and a rootkit discovered this week.

Keen on IT security? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • I wonder what negative impact this will have on other legitimate apps that have similar names and functions. Hopefully apps like ReadAndCall and others which are good don't receive unwarranted negative reactions. Many developers work hard to produce good Apps and one bad "apple" can ruin countless hours of good work.

Recent Posts

Elon Musk’s X Suffers Multiple Outages

Nation-state cyberattack? Elon Musk blames outages on Monday at X (formerly Twitter) on “massive cyberattack”

11 hours ago

Apple Confirms AI Improvements to Siri Delayed To 2026

More time required for Apple to improved the AI capabilities of the Siri voice assistant,…

12 hours ago

Siemens Confirms $285m Manufacturing Investment In US

German conglomerate Siemens confirms $285 million investment for manufacturing facilities in Texas and California

13 hours ago

IBM Wins Lawsuit Against LzLabs Over Mainframe Patents

Court ruling. Big Blue lawsuit filed in London had alleged IP theft of mainframe technology…

15 hours ago

Trump Says US Talking With Four Groups Over TikTok Sale

But what about Beijing? Donald Trump says administration in talks with four different groups about…

18 hours ago