A Russian security company has uncovered what it claims is the first case of malware to be found in Apple's App Store.
Kaspersky Lab has published a report on its Securelist blog about an app named 'Find and Call' which is a piece of malware which steals your phonebook details and sends spam SMS messages to all your contacts, claiming to be from you.
Only last week the iPhone celebrated its fifth birthday and security experts were congratulating Apple on preventing malware from entering the App Store, thanks in the main to its walled-garden approach. Kaspersky Lab has contacted Apple regarding the malware but so far the app has not been removed from the App Store [as of 15:32 on 6 July].
The malicious Find and Call app was also found in the Android Google Play store, though instances of malware on the Android platform are altogether more common. The app description is very muddled, and doesn't really tell you what the app does:
"Find and call is a new technology for your mobile phone. For the first time in the world, you may not only make calls from your mobile phone, but also search for subscribers you need. Free calls from your mobile phone to domains, email, Skype, social networks. Forget about numbers!!!"
It seems to be a translation from another language into English.
The app is aimed at smartphone users, and it was a tip from Russian mobile phone network Megafon which alerted Kaspersky Labs to the presence of the malicious app. Initially the security company believed it to be an SMS worm, spread via sending short messages to all contacts stored in your phonebook, with a URL linking to itself.
Further inspection however revealed that both versions were pieces of malware known as Trojans which install themsevles on your phone and upload your phonebook details to a remote server. The server then generates spam SMS messages to send to all your contacts, but when the messages are received, it looks like they came from your mobile number.
Once installed, if you launch the app you will be asked to register within the app using your emails address and mobile phone number, though both these input fields will not be checked for validity. If the users then asks to 'Find Friends in the phonebook', all the data will be secretly sent to a remote server.
There is no terms of usage or notifications alerting you to this happening. Both Android and iOS apps are also able to upload the users GPS coordinates but this is something which legal as well as malicious apps do all the time.
Once the phonebook details are uploaded, every one of your contacts will receive a spam message which looks like it is from your number. The message contains a URL which asks users to download the app themselves.
Kaspersky Lab expert Denis Maslennikov did some checking on who is behind the app and discovered on the app's website that once you've signed in, it will ask you for your social network details and email address, which will also be used maliciously it seems, and even your Paypal details.
Further investigation shows if you do add money from your Paypal account, you send the money to a company called Wealth Creation Laboratory, which has the motto "Let's create together the world of plenty and prosperity."