Apple has removed a malicious app from the App Store that took the user's contacts and used them to send spam. Kaspersky Lab Expert Denis originally reported on the app, Find and Call, for Securelist, based on information from Russian carrier MegaFon.
[MegaFon] notified us about a suspicious application, which was found in both the Apple App Store and Google Play. [...] [Our] analysis of the iOS and Android versions of the same application showed that it’s not an SMS worm but a Trojan that uploads a user’s phonebook to remote server. The 'replication' part is done by the server - SMS spam messages with the URL to the application are being sent from the remote server to all the contacts in the user’s address book.
You can read Apple's statement over on The Loop.
In response to previous incidents of unauthorized transfers, iOS 6 will apparently ask for express permission before granting access to Contacts, the same way current and previous versions of iOS ask for permission to use location. However, that won't protect against apps that, rather than attacking the code of the system, attack the trust and naiveté of the user.
In other words -- apps that deliberately try to deceive users into doing things are very difficult for any system to protect against. Just like people can get conned out of money or property in real life, they can get conned out of data in the digital world. "Enter your password for free porn" is never a good idea on any platform.
The only way to protect against these kinds of human engineering attacks is to be careful what data you allow apps to use. Default to saying "no" unless there's a compelling reason to say "yes".
As iOS gets more popular, these kinds of human engineering attacks will become more and more common. Apple will no doubt remove malicious apps as they appear, and they need to always improve speed of detection and removal, but ultimately we're all responsible for our own safety.