Apple pulls malicious App Store app that took contacts, sent spam

Apple has removed a malicious app from the App Store that took the user's contacts and used them to send spam. Kaspersky Lab Expert Denis originally reported on the app, Find and Call, for Securelist, based on information from Russian carrier MegaFon.

[MegaFon] notified us about a suspicious application, which was found in both the Apple App Store and Google Play. [...] [Our] analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.

You can read Apple's statement over on The Loop.

In response to previous incidents of unauthorized transfers, iOS 6 will apparently ask for express permission before granting access to Contacts, the same way current and previous versions of iOS ask for permission to use location. However, that won't protect against apps that, rather than attacking the code of the system, attack the trust and naiveté of the user.

In other words -- apps that deliberately try to deceive users into doing things are very difficult for any system to protect against. Just like people can get conned out of money or property in real life, they can get conned out of data in the digital world. "Enter your password for free porn" is never a good idea on any platform.

The only way to protect against these kinds of human engineering attacks is to be careful what data you allow apps to use. Default to saying "no" unless there's a compelling reason to say "yes".

As iOS gets more popular, these kinds of human engineering attacks will become more and more common. Apple will no doubt remove malicious apps as they appear, and they need to always improve speed of detection and removal, but ultimately we're all responsible for our own safety.

Source: Securelist via Forbes; The Loop

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Rene Ritchie

EiC of iMore, EP of Mobile Nations, Apple analyst, co-host of Debug, Iterate, Vector, Review, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts



← Previously

Google Drive vs. Dropbox vs. SkyDrive redux

Next up →

Welcome to iMore 2.0

Reader comments

Apple pulls malicious App Store app that took contacts, sent spam


While Apple does a pretty good job of policing apps in the App Store, I would very much appreciate the type of flexibility allowed in Blackberry's OS when it comes to permissions granted particular apps. This would go a long way in securing personal information on the phone. I have never liked blanket yes/no permission statements for apps.