The app’s name is Find and Call, and it’s the first time we’ve ever seen a malicious app make it into Apple’s App Store.
Once installed, the app asks you to register your phone number and email address. Find and Call will also ask if you want to “find friends in a phone book” before discretely uploading your entire contact list to a remote server.
The app will continue to upload your contacts, and will SMS messages to those people that contain a link to download the app themselves. These SMS messages show up as if they were sent from your number, so the recipients are much more likely to click on the link.
Find and Call appears to have been pulled from the Google Play Store, though it’s still live on the App Store as of this writing. [Update: “The Find & Call app has been removed from the App Store due to its unauthorized use of users’ Address Book data, a violation of App Store guidelines,” an Apple representative told Macworld at 12 p.m. PDT.] Kaspersky was tipped off to the existence of the app by Russian mobile carrier MegaFon via Twitter, and the app appears to be getting blasted in its reviews as being a virus, according to Google Translate.
While malware in the Play Store isn’t anything new, it’s concerning to see such an app make it into Apple’s walled garden. This raises questions as to how an app like Find and Call made it into the App Store in the first place, and what other dangerous apps have managed to slip past Apple’s screeners.
Hopefully this was just a fluke, but in the meantime remember that if an app looks suspicious–even if it’s in the App Store–it’s best to play it safe and not download it.