Google, Apple remove malware application from official app stores

Google and Apple removed a mobile app named Find and Call from their respective app stores on Thursday following reports that it was stealing people’s phone book data and using the information to spam their contacts.

The app had been available on Google Play since at least May 21 and on Apple’s App Store since at least June 13. Those dates are when the app’s Android and iOS versions were last updated, said Denis Maslennikov, a senior malware analyst at security firm Kaspersky Lab.

Security researchers from Kaspersky flagged Find and Call as malware after being notified about its suspicious behavior by MegaFon, one of the largest mobile carriers in Russia.

According to its developer’s website, the app lets users find and call other people without knowing their phone numbers, if those people have associated their domain names, social networking handles, instant messaging IDs, or other similar contact information with a phone number in the Find and Call system.

After installation, if users click on an option to find their friends, the app silently uploads their phone book data to the developer’s server without asking for confirmation. Once a user’s phone book data is copied, their contacts receive an SMS message advertising the Find and Call app. These messages are sent by the app’s developer, but they are modified to appear as if they come from the user’s phone number. In addition, if a contact’s email address is included in a stolen address book, that contact might also receive a spam email.

Other apps have been caught uploading user address books to remote servers without proper notification in the past. However, in this particular case, there is clear evidence that the data is being misused, Maslennikov said.

Although malicious applications are not new to Google Play, this appears to be the first time that malware has been found in Apple’s App Store, Maslennikov said. Apple will probably be stricter from now on when reviewing applications that try to upload user phone books to remote servers, he said. The forthcoming iOS 6 also enforces stronger controls on apps that seek to access contacts information.

Although the Find and Call website has an English version, the Kaspersky researchers have only seen Russian-language versions of the app so far, Maslennikov said.