Apple has pulled the Find and Call app for iPhone from its App Store after a security alert from Kaspersky Labs described the app as a trojan. Renaming the app “Leak and Spam,” the security company said the app was uploading user address books to a remote server in order to spam those contacts with an SMS message.
Leak and Spam
“Our analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phone book to remote server,” the firm said in its alert. “The ‘replication’ part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.”
The app was available on both Apple’s App Store and Google’s Google Play, and Kaspersky Labs said that both versions were engaging in the Leak and Spam behavior. As of this writing, the app was not available on either store.
The firm was originally alerted by Russian mobile carrier MegaFon. The company had noticed suspicious activity by the app, passing along a warning that it could be a worm.
Social networking apps took heat for uploading user address books without expressly stating their intentions to do so, but there was no direct spam associated with those incidents. While grabbing address books without permission had long been against Apple’s developer code of conduct, Apple said in February that it would begin requiring explicit permission at the OS level in the future.